Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Originally posted by nixcraft Use iptables to block the traffic something like following should help you:
iptables -A INPUT -s IP-ADDRESS -j DROP
iptables -A OUTPUT -d IP-ADDRESS -j DROP
Howerver iptables is serious business, you should read man page!
that is correct, but if you're gonna input those commands into the command line you should use a "-I" instead of an "-A" to make sure the rules go to the top of the chain and hence the packets won't get accepted by any other rules before they hit the DROP...
Code:
iptables -I INPUT -s IP-ADDRESS -j DROP
BTW, you don't really need to add a DROP for the IP to the OUTPUT chain...
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379
Rep:
Quote:
Originally posted by win32sux that is correct, but if you're gonna input those commands into the command line you should use a "-I" instead of an "-A" to make sure the rules go to the top of the chain and hence the packets won't get accepted by any other rules before they hit the DROP...
Code:
iptables -I INPUT -s IP-ADDRESS -j DROP
-A will append rule to existing rule set that is why you need it. I assumed that some other rules already exist like -P to drop everythink.
Quote:
BTW, you don't really need to add a DROP for the IP to the OUTPUT chain...
You need it OUTPUT rule too.. that is added security
Originally posted by nixcraft -A will append rule to existing rule set that is why you need it. I assumed that some other rules already exist like -P to drop everythink.
that is precisely why you should use "-I" instead of "-A" if you do this from the CLI... it makes sure that EVERY packet from that IP will go to DROP... if you do "-A" from the CLI it's still possible for a packet from that IP to get sent to ACCEPT because it matches one of the rules above... the policy (-P) has nothing to do with it... look at this example (just a stupid "proof of concept"):
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
if you have the above ruleset active, and you run this command from the CLI:
Code:
iptables -A INPUT -s IP-ADDRESS -j DROP
then the active ruleset would change to:
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -s IP-ADDRESS -j DROP
so as you can see, IP-ADDRESS would STILL be able to connect to port 22/TCP...
but if you use "-I" when you execute the command, like:
Code:
iptables -I INPUT -s IP-ADDRESS -j DROP
you'd end-up with this instead:
Code:
iptables -P INPUT DROP
iptables -A INPUT -s IP-ADDRESS -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
now IP-ADDRESS would NOT be able to connect AT ALL because the packet would go to DROP as soon as it enters the chain - before it can be accepted by any other rule...
Quote:
You need it OUTPUT rule too.. that is added security
it's an nice option that you have available - but you don't "need" to do it...
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379
Rep:
Sure, for flooding
Code:
iptables -F
# Setting default filter policy DROP ALL :D
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# allow unlinited traffic on both lo and venet0
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
# Stop flood .. this is also important :D
iptables -N flood
iptables -A INPUT -p tcp --syn -j flood
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A flood -j DROP
# Now block all ips
IPS="Ip1 IP2"
for ip in $IPS
do
iptables -A INPUT -s $ip -j DROP
iptables -A OUTPUT -d $ip -j DROP
done
# Now allow the traffic using rules use as shown by win32sux
I still prefer to add OUTPUT rule in drop to avoid ip spoofig stuff attack if you see closely i'm only blocking destiona -D from FW host!
wait - i see what you're doing... your other iptables rules would come-in after that section of your script... either way, i'm talking strictly about the CLI - not about a script... if you do it from the CLI it's simple and effective to use "-I" as it makes sure the rule goes to the top of the chain...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.