iptables : how do I block inbound traffic from one ip address only?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
iptables : how do I block inbound traffic from one ip address only?
I've been running an email server for about 1 year. Lately I've been getting a lot of spam originating from one ip address to non-existent email addresses at my domain. The bounces then bounce back. Rather than trying to filter this stuff, I want to make my server ignore this IP address. I want them to time out without getting any kind of affirmative response from my server. Somehow that seems like a better solution to spam than simply filtering to prevent the mail from being delivered once it's already been accepted by my server. Make the spammer suffer a bit by timing out, I say.
I'm probably being lazy by asking this here, but quick research has not turned up an answer. Also, maybe someone else will need a quick answer to this exact question:
How do I use iptables to drop packets from that one ip address? I also want to ensure the rule gets re-instated after re-booting.
I believe this should work. Replace <filter name> with the name of your filter (probably RH-Firewall-1-INPUT). If it does, leave off the "/sbin/iptables" from the beginning and add it to the file /etc/sysconfig/iptables.
% /sbin/iptables -A <filter name> -s IP-Address -j DROP
To see your current firewall rules type:
% /sbin/iptables -L
Hope this helps
Oh, BTW, What is the IP so we can all add the rule !!!
Not sure what that means, but probably looks like everything is wide open. Well it is. I guess I should mention my setup. The server is behind a router/firewall (different box). Obviously port 25 is open and directed to the RH box with the email server. The server itself does not run a firewall -- all ports open.
Ok, so /etc/sysconfig/iptables does not exist. I need to add it, correct? Or might it be called something else?
PS. I'm tempted to post the offending ip address, but I guess I will refrain. If anyone needs Viagra or a mail-order bride let me know and I'll send it to you.
Looks like you might not have iptables installed. I'm pretty sure that installing it adds the /etc/sysconfig/iptables file. If not, you will need to download the rpm and install it before performing the above steps. (You will probably also need to start the firewall /etc/init.d/iptables start).
Run the command:
% rpm -qa |grep iptables
to see if you already have iptables installed. If you already have it installed, copy this:
-----------------------------<begin copy on next line>---------------------------------------------
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:RH-Lokkit-0-50-OUTPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A OUTPUT -j RH-Lokkit-0-50-OUTPUT
-A RH-Lokkit-0-50-INPUT -s IP-Address -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s dns.dns.dns.no1 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s dns.dns.dns.no2 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j DROP
-A RH-Lokkit-0-50-OUTPUT -j ACCEPT
---------------------------------------------<end copy on previous line>-----------------------------
to /etc/sysconfig/iptables. Change the lines with dns.dns.dns... to the ip's of your DNS server. If you have more than two servers, add an additional line for each server.
You also need to change the line with IP-Address to instead have the offending IP. This firewall ruleset allows web, ssh, smtp, and telnet through (except from your fiend's IP in which it drops all traffic). The lines like:
Actually, I had it installed, but I had previously used a Redhat GUI ("Security Level") to essentially turn it off. I went back in and turned the firewall on with this GUI, but opened all the ports I regularly use. That created /etc/sysconfig/iptables. This GUI program actually added in my DNS servers and apparently everything else needed. The file now looks very much like the one you posted.
For this to work, do I need to insert the DROP line you provided in prior to this line that allows email packets through?:
Actually, that was probably a silly question. I see you placed the new DROP line right above the port 80 line. I have done the same. However, out of curiosity does order matter? I'm assuming port 25 packets would get through from the offending IP address if I placed the new line after the port 25 ACCEPT line, correct? (note: I do realize the new line will block all traffic from that ip address, not just port 25).
Yes, the order of the rules matters. iptables will execute the first rule it comes to that matches your packet without reading the rest of the chain. So, putting the DROP before the ACCEPT is what you needed to do.