LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-19-2004, 11:46 AM   #1
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Rep: Reputation: 35
iptables : how do I block inbound traffic from one ip address only?


I've been running an email server for about 1 year. Lately I've been getting a lot of spam originating from one ip address to non-existent email addresses at my domain. The bounces then bounce back. Rather than trying to filter this stuff, I want to make my server ignore this IP address. I want them to time out without getting any kind of affirmative response from my server. Somehow that seems like a better solution to spam than simply filtering to prevent the mail from being delivered once it's already been accepted by my server. Make the spammer suffer a bit by timing out, I say.

I'm probably being lazy by asking this here, but quick research has not turned up an answer. Also, maybe someone else will need a quick answer to this exact question:

How do I use iptables to drop packets from that one ip address? I also want to ensure the rule gets re-instated after re-booting.

Thanks!
Apollo
 
Old 03-19-2004, 12:27 PM   #2
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
I believe this should work. Replace <filter name> with the name of your filter (probably RH-Firewall-1-INPUT). If it does, leave off the "/sbin/iptables" from the beginning and add it to the file /etc/sysconfig/iptables.

% /sbin/iptables -A <filter name> -s IP-Address -j DROP

To see your current firewall rules type:

% /sbin/iptables -L

Hope this helps

Forrest

Oh, BTW, What is the IP so we can all add the rule !!!

Last edited by forrestt; 03-19-2004 at 12:29 PM.
 
Old 03-19-2004, 02:02 PM   #3
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
Almost there I think, but I need a bit more help. As you suspected, the server does run Redhat (8.0). When I try "/sbin/iptables -L" I get this output:
=======
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
=======

Not sure what that means, but probably looks like everything is wide open. Well it is. I guess I should mention my setup. The server is behind a router/firewall (different box). Obviously port 25 is open and directed to the RH box with the email server. The server itself does not run a firewall -- all ports open.

Ok, so /etc/sysconfig/iptables does not exist. I need to add it, correct? Or might it be called something else?

Apollo

PS. I'm tempted to post the offending ip address, but I guess I will refrain. If anyone needs Viagra or a mail-order bride let me know and I'll send it to you.
 
Old 03-19-2004, 02:48 PM   #4
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
Looks like you might not have iptables installed. I'm pretty sure that installing it adds the /etc/sysconfig/iptables file. If not, you will need to download the rpm and install it before performing the above steps. (You will probably also need to start the firewall /etc/init.d/iptables start).

Run the command:

% rpm -qa |grep iptables

to see if you already have iptables installed. If you already have it installed, copy this:

-----------------------------<begin copy on next line>---------------------------------------------
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:RH-Lokkit-0-50-OUTPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A OUTPUT -j RH-Lokkit-0-50-OUTPUT
-A RH-Lokkit-0-50-INPUT -s IP-Address -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s dns.dns.dns.no1 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s dns.dns.dns.no2 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j DROP
-A RH-Lokkit-0-50-OUTPUT -j ACCEPT
COMMIT
---------------------------------------------<end copy on previous line>-----------------------------
to /etc/sysconfig/iptables. Change the lines with dns.dns.dns... to the ip's of your DNS server. If you have more than two servers, add an additional line for each server.
You also need to change the line with IP-Address to instead have the offending IP. This firewall ruleset allows web, ssh, smtp, and telnet through (except from your fiend's IP in which it drops all traffic). The lines like:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT

are the ones that affect this. If you need another service then find out what ports you need to open:

% grep <service name> /etc/services

if you grep timed for example, you will get back:

timed 525/tcp timeserver
timed 525/udp timeserver

so you will need to add two lines:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 525 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 525 --syn -j ACCEPT

Repeat for each service. If you want to remove a service, just comment out the lines that affect that service.

Once you are done, you will need to start iptables:

/etc/init.d/iptables start

Hope this helps,

Forrest

Last edited by forrestt; 03-19-2004 at 02:50 PM.
 
Old 03-19-2004, 04:10 PM   #5
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
Actually, I had it installed, but I had previously used a Redhat GUI ("Security Level") to essentially turn it off. I went back in and turned the firewall on with this GUI, but opened all the ports I regularly use. That created /etc/sysconfig/iptables. This GUI program actually added in my DNS servers and apparently everything else needed. The file now looks very much like the one you posted.

Final question:

For this to work, do I need to insert the DROP line you provided in prior to this line that allows email packets through?:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT

Or does the order not matter?

Your help on this is very much appreciated.

Apollo
 
Old 03-19-2004, 04:22 PM   #6
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
Actually, that was probably a silly question. I see you placed the new DROP line right above the port 80 line. I have done the same. However, out of curiosity does order matter? I'm assuming port 25 packets would get through from the offending IP address if I placed the new line after the port 25 ACCEPT line, correct? (note: I do realize the new line will block all traffic from that ip address, not just port 25).

Thanks again. I think I have this working.

Apollo
 
Old 03-19-2004, 07:43 PM   #7
matthanley
LQ Newbie
 
Registered: Mar 2004
Distribution: Slackware 11
Posts: 7

Rep: Reputation: 0
Yes, the order of the rules matters. iptables will execute the first rule it comes to that matches your packet without reading the rest of the chain. So, putting the DROP before the ACCEPT is what you needed to do.
 
Old 03-22-2004, 11:22 AM   #8
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
Thanks Matt. I didn't see Apollo's post until this morning.

Apollo, hope everything is working now.

Forrest
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I block all traffic to port 110 to and IP using IPtables? abefroman Linux - Networking 8 11-16-2005 08:26 PM
DESPERATE : Iptables block users by MAC address. ranjan303 Linux - Security 28 03-29-2005 02:15 AM
inbound traffic routing beowulfde Linux - Networking 2 02-20-2005 05:47 PM
Inbound traffic for port 80 Gerardoj Linux - Networking 10 05-29-2003 05:27 PM
iptables - howto block by a port and IP address -HELP! macnanc Linux - Networking 2 03-07-2003 05:45 AM


All times are GMT -5. The time now is 08:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration