From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Chris" Subject: RE: Denying access to a public IP Date: Mon, 12 May 2003 14:37:23 -0700 Sender: netfilter-admin@lists.netfilter.org Message-ID: <010d01c318ce$ace60070$0400000a@implexantsystems.com> References: <00d401c318ae$c74ffcb0$0400000a@implexantsystems.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_010E_01C31894.00872870" Return-path: In-Reply-To: <00d401c318ae$c74ffcb0$0400000a@implexantsystems.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: 'Netfilter/IPTables Mailing List' This is a multi-part message in MIME format. ------=_NextPart_000_010E_01C31894.00872870 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable figured it out! =20 the "iptables -A INPUT -f -d 192.168.1.1 -j DROP" is an incorrect = command, since -f specifies only fragmented packets and -d specifies destination = IP, which I need source IP. I also needed the -A to be a -I because I need = the rule to be at the top of the table so it reads it first. =20 the correct command is "iptables -I INPUT -s 192.168.1.1 -j DROP" and it works great! =20 Chris ImplexantSystems.com =20 chris@implexantsystems.com =20 -----Original Message----- From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Chris Sent: Monday, May 12, 2003 10:49 AM To: Netfilter/IPTables Mailing List Subject: Denying access to a public IP =20 All, =20 well, i just setup a linux router for myself. for the improved security, dedicated box, ect anyway.... every once in a while I'll find an IP addy that I want/need to block, = either cuz I don't want them CONSTANTLY trying to do code red on my IIS server which HAS BEEN PATCHED, or, they just make me mad.=20 so... using the "iptables -A INPUT -f -d 192.168.1.1 -j DROP" command = would be a good way to do it, correct? FYI, I'm using a hardened version of RH 7.2, commonly known as IPCop = v1.3.0 Fixes 1 and 2. I have it setup for GREEN + ORANGE + RED. It uses = IPTables GREEN (LAN) =3D eth0 ORANGE (DMZ) =3D eth1 RED (WAN) =3D eth2 =20 Here's what I've tried to do: =20 First, I try to drop all ICMP packets (pings). Had trouble with that = until I deleted the "ACCEPT icmp -- anywhere anywhere" rule and added a DENY for ICMP in INPUT.=20 =20 So... my current problem is trying to deny access to certain IPs. But = the "iptables -A INPUT -f -d 192.168.1.1 -j DROP" for whatever reason = doesn't work. I mean it works and adds the rule, but the host can still access = my firewall. my INPUT rule file is below: =20 Chain INPUT (policy DROP) target prot opt source destination ipac~o all -- anywhere anywhere PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5 CUSTOMINPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere RED all -- anywhere anywhere XTACCESS all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `INPUT ' DROP icmp -- anywhere anywhere =20 so... do i need to delete another rule? or what am I doing wrong? =20 Chris ImplexantSystems.com =20 chris@implexantsystems.com=20 =20 =20 ------=_NextPart_000_010E_01C31894.00872870 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

figured it out!

 

the "iptables -A INPUT -f -d 192.168.1.1 -j = DROP" is an incorrect command, since -f specifies only fragmented packets and = -d specifies destination IP, which I need source IP. I also needed the -A = to be a -I because I need the rule to be at the top of the table so it reads it = first.

 

the correct command is "iptables -I INPUT -s 192.168.1.1 -j DROP" and it works great!

 

-----Original = Message-----
From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Chris
Sent: Monday, May 12, 2003 10:49 = AM
To: Netfilter/IPTables = Mailing List
Subject: Denying access = to a public IP

 

All,

 

well, i just setup a linux = router for myself. for the improved security, dedicated box, ect anyway....

every once in a while I'll find an IP addy that I want/need to block, = either cuz I don't want them CONSTANTLY trying to do code red on my IIS server = which HAS BEEN PATCHED, or, they just make me mad.

so... using the “iptables -A INPUT -f -d 192.168.1.1 -j = DROP” command would be a good way to do it, correct?

FYI, I'm using a hardened version of RH 7.2, commonly known as IPCop = v1.3.0 Fixes 1 and 2. I have it setup for GREEN + ORANGE + RED. It uses IPTables

GREEN (LAN) =3D eth0
ORANGE (DMZ) =3D eth1
RED (WAN) =3D eth2

 

Here’s what = I’ve tried to do:

 

First, I try to drop all = ICMP packets (pings). Had trouble with that until I deleted the "ACCEPT = icmp -- anywhere anywhere" rule and added a DENY for ICMP in INPUT. =

 

So... my current problem is = trying to deny access to certain IPs. But the "iptables -A INPUT -f -d 192.168.1.1 -j DROP" for whatever reason doesn't work. I mean it = works and adds the rule, but the host can still access my firewall. my INPUT rule = file is below:

 

Chain INPUT (policy =
DROP)
target     prot opt =
source           &=
nbsp;   destination
ipac~o     all =
 --  =
anywhere           =
;  anywhere
PSCAN      tcp  =
--  =
anywhere           =
;  =
anywhere           tcp =
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
= 
PSCAN      tcp  =
--  =
anywhere           =
;  =
anywhere           tcp =
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    =
       tcp  --  =
anywhere           =
;  =
anywhere           tcp =
flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
CUSTOMINPUT  all  --  =
anywhere           =
;  anywhere
ACCEPT     all  =
--  =
anywhere           =
;  =
anywhere           =
state RELATED,ESTABLISHED
ACCEPT     all  =
--  =
anywhere           =
;  anywhere
ACCEPT     all  =
--  =
anywhere           =
;  anywhere
ACCEPT     all  =
--  =
anywhere           =
;  anywhere
RED        =
all  --  =
anywhere           =
;  anywhere
XTACCESS   all  --  =
anywhere           =
;  anywhere
LOG        =
all  --  =
anywhere           =
;  =
anywhere           =
limit: avg 10/min burst 5 LOG level warning prefix `INPUT =
'
DROP       icmp =
--  =
anywhere           =
;  anywhere

 

so... do i need to delete = another rule? or what am I doing wrong?

 

Chris
ImplexantSystems.com
chris@implexantsystems.com=
 

 

------=_NextPart_000_010E_01C31894.00872870--