iptables - how to block some IP-addresses
Hello everybody! :-) Looks like I need help with iptables... I have a task - should block some network resources for all users in office. So there is a network gateway (Linux based) and iptables script:
*filter -A FORWARD -s 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 192.168.1.10/32 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT -A FORWARD -d 192.168.1.20/32 -i eth1 -p tcp -m tcp --dport 3390 -j ACCEPT COMMIT *nat -A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389 -A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.1.20:3390 -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE COMMIT There are 2 networks: 192.168.1.0/24 (office machines) and 192.168.0.0/24 ("real world"). So there is NAT and 2 port redirections only on this gateway now. And policy is - ACCEPT (all the chains). So I need to drop a packets to some real IP, for example, 8.8.8.8 - what rule should I write? Please help :-) |
1 Attachment(s)
a good solution for not understanding iptables, might be to use webmin to edit the iptables firewall. that's how i did it before (and still do sometimes). it will certainly help you get your head around the concept before actually editing the iptables config.
but to answer more directly, I beleive you would add for example: Code:
-A INPUT -s 8.8.8.8 -j DROP Code:
-A INPUT -s 8.8.8.8 -i eth0 -j DROP |
Quote:
*filter -A INPUT -s 8.8.8.8 -i eth1 -j DROP -A FORWARD -s 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 192.168.1.10/32 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT -A FORWARD -d 192.168.1.20/32 -i eth1 -p tcp -m tcp --dport 3390 -j ACCEPT COMMIT *nat -A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389 -A PREROUTING -d 192.168.0.178/32 -i eth1 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.1.20:3390 -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE COMMIT And why is INPUT, not OUTPUT? Cause I need to block outgoing traffic to IP 8.8.8.8... |
okay then, since you want outgoing stopped, then it might be: (also, i'm not the know-it-all here, mind you)
Code:
-A OUTPUT -d 8.8.8.8 -j REJECT i added 9.9.9.9 to mine via webmin just to test and it looks like this: (with all my custom stuff removed) Code:
$ sudo cat /etc/iptables.up.rules good luck. |
You know - if I add this string:
-A OUTPUT -d 9.9.9.9 -i eth0 -j REJECT ssh is not responding now :-( |
Quote:
also, no reason (that i know) that should have stopped ssh. |
All times are GMT -5. The time now is 01:14 AM. |