Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So I would like to ask how to set up an iptables rule to block this IP address. Unfortunately, I am a Linux server newbie and don't know how. Any help, please?
This should go right after the conditional "accept" that lets tcp packets through. I hope you have your firewall set with default DROP policy...
It is likely the attacker will just switch to a different IP when they get blocked. http://kerneltrap.org/node/7182
... for an identical problem discussed.
Last edited by Simon Bridge; 03-21-2007 at 07:20 PM.
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
DROP all -- pix.linkserve.net anywhere
Has it done its job properly? The IP address matches the range for pix.linkserve.net but I don't see that IP address anywhere in the console - is this OK?
just to add to Simon_Bridge's suggestion: in cases like this, it's recommended to use an "-I" instead of an "-A"... this inserts the rule at the top of the chain and eliminates any possibility of packets from that IP getting sent to ACCEPT by a rule above ("-A" appends the rule to the end of the chain)...
Code:
iptables -I INPUT -s 195.166.237.42 -j DROP
FWIW, you can get a better view with this instead of "iptables -L":
Code:
iptables -nvL
you will see the IP doing it like that... the "n" tells iptables to skip doing domain name lookups (your problem IP resolves to pix.linkserve.net)
You are using the RH firewall - (is this RHEL - or are we still talking mandriva here?) you need to revise your firewall rules in the light of the services you want to run. One really wants a DROP policy, then explicitly open the needed services.
What you have a an ACCEPT policy, so you must explicitly DROP anything you don't want. See the difference?
Make sure you say what program you are using to view the iptables rules ... use programs directly whenever possible to avoid confusion when you are posting about problems. Thus: iptables -L to list the rules ... or -nvL as suggested (thanks).
However, if you are no longer getting the attack messages, then it must be OK. Check again later to see if the attack resumes from a different IP.
So I should delete the rule with the -A flag above, and then run the new command with -I?
yeah, you could do that... like:
Code:
iptables -D INPUT -s 195.166.237.42 -j DROP
iptables -I INPUT -s 195.166.237.42 -j DROP
you could also do it for the other IP you are filtering like:
Code:
iptables -D RH-Firewall-1-INPUT -s 86.126.25.217 -j DROP
iptables -I INPUT -s 86.126.25.217 -j DROP
you *really* should get your firewall going with an INPUT policy of DROP, as was pointed-out by Simon_Bridge earlier... FWIW, i'd also ditch the whole RH-Firewall-1-INPUT chain thing, but that's just me...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.