Denying access to a public IP

Denying access to a public IP

[Chris]

[-- Attachment #1: Type: text/plain, Size: 2365 bytes --]

All,

 

well, i just setup a linux router for myself. for the improved security,
dedicated box, ect anyway....

every once in a while I'll find an IP addy that I want/need to block, either
cuz I don't want them CONSTANTLY trying to do code red on my IIS server
which HAS BEEN PATCHED, or, they just make me mad. 

so... using the "iptables -A INPUT -f -d 192.168.1.1 -j DROP" command would
be a good way to do it, correct?

FYI, I'm using a hardened version of RH 7.2, commonly known as IPCop v1.3.0
Fixes 1 and 2. I have it setup for GREEN + ORANGE + RED. It uses IPTables

GREEN (LAN) = eth0
ORANGE (DMZ) = eth1
RED (WAN) = eth2

 

Here's what I've tried to do:

 

First, I try to drop all ICMP packets (pings). Had trouble with that until I
deleted the "ACCEPT icmp -- anywhere anywhere" rule and added a DENY for
ICMP in INPUT. 

 

So... my current problem is trying to deny access to certain IPs. But the
"iptables -A INPUT -f -d 192.168.1.1 -j DROP" for whatever reason doesn't
work. I mean it works and adds the rule, but the host can still access my
firewall. my INPUT rule file is below:

 

Chain INPUT (policy DROP)
target     prot opt source               destination
ipac~o     all  --  anywhere             anywhere
PSCAN      tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
PSCAN      tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
           tcp  --  anywhere             anywhere           tcp
flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
CUSTOMINPUT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
RED        all  --  anywhere             anywhere
XTACCESS   all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           limit: avg
10/min burst 5 LOG level warning prefix `INPUT '
DROP       icmp --  anywhere             anywhere

 

so... do i need to delete another rule? or what am I doing wrong?

 

Chris
ImplexantSystems.com <http://www.implexantsystems.com> 
chris@implexantsystems.com 
 

 


[-- Attachment #2: Type: text/html, Size: 8732 bytes --]

RE: Denying access to a public IP

[Chris]

[-- Attachment #1: Type: text/plain, Size: 3132 bytes --]

figured it out!

 

the "iptables -A INPUT -f -d 192.168.1.1 -j DROP" is an incorrect command,
since -f specifies only fragmented packets and -d specifies destination IP,
which I need source IP. I also needed the -A to be a -I because I need the
rule to be at the top of the table so it reads it first.

 

the correct command is "iptables -I INPUT -s 192.168.1.1 -j DROP" and it
works great!

 

Chris
ImplexantSystems.com <http://www.implexantsystems.com> 
chris@implexantsystems.com
 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Chris
Sent: Monday, May 12, 2003 10:49 AM
To: Netfilter/IPTables Mailing List
Subject: Denying access to a public IP

 

All,

 

well, i just setup a linux router for myself. for the improved security,
dedicated box, ect anyway....

every once in a while I'll find an IP addy that I want/need to block, either
cuz I don't want them CONSTANTLY trying to do code red on my IIS server
which HAS BEEN PATCHED, or, they just make me mad. 

so... using the "iptables -A INPUT -f -d 192.168.1.1 -j DROP" command would
be a good way to do it, correct?

FYI, I'm using a hardened version of RH 7.2, commonly known as IPCop v1.3.0
Fixes 1 and 2. I have it setup for GREEN + ORANGE + RED. It uses IPTables

GREEN (LAN) = eth0
ORANGE (DMZ) = eth1
RED (WAN) = eth2

 

Here's what I've tried to do:

 

First, I try to drop all ICMP packets (pings). Had trouble with that until I
deleted the "ACCEPT icmp -- anywhere anywhere" rule and added a DENY for
ICMP in INPUT. 

 

So... my current problem is trying to deny access to certain IPs. But the
"iptables -A INPUT -f -d 192.168.1.1 -j DROP" for whatever reason doesn't
work. I mean it works and adds the rule, but the host can still access my
firewall. my INPUT rule file is below:

 

Chain INPUT (policy DROP)
target     prot opt source               destination
ipac~o     all  --  anywhere             anywhere
PSCAN      tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
PSCAN      tcp  --  anywhere             anywhere           tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
           tcp  --  anywhere             anywhere           tcp
flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
CUSTOMINPUT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
RED        all  --  anywhere             anywhere
XTACCESS   all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           limit: avg
10/min burst 5 LOG level warning prefix `INPUT '
DROP       icmp --  anywhere             anywhere

 

so... do i need to delete another rule? or what am I doing wrong?

 

Chris
ImplexantSystems.com <http://www.implexantsystems.com> 
chris@implexantsystems.com 
 

 


[-- Attachment #2: Type: text/html, Size: 12220 bytes --]