Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am having a small problem. I have been blocking someone just fine using iptables. I had a single exception allowing this person to use a specific port. Using the following:
Code:
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port ! 25000 -j DROP
This basically just means they cannot use udp unless it is to port 25000. But now I need to add a second udp port they are also allowed to connect to. Port 26000.
So what I tried was using both:
Code:
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port ! 25000 -j DROP
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port ! 26000 -j DROP
But adding both of those causes blocked person to not be able to connect at all. So I need to get both ports allowed on one line
Code:
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port ! 25000,26000 -j DROP
was my best guess but it gives me a bad ipchain error.
How would I accomplish this please? Your help is appreciated!
There is a multiport match (mport) that allows you to specify up to 15 ports. I haven't ever tried using the logical ! operator with it, but it may work.
If not, then you likely need to do the inverse of what you're trying to do. You'd need to *allow* those ports for that source IP and then drop all others (put the 2 port match rules first and then put the drop rule after). So it would look like:
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port 25000 -j ALLOW
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port 26000 -j ALLOW
iptables -A INPUT -s 24.112.23.227 -j DROP
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port 25000 -j ALLOW
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port 26000 -j ALLOW
iptables -A INPUT -s 24.112.23.227 -j DROP
Are you sure that format is correct? Because it doesnt seem to work (and I channged the ALLOW to ACCEPT).. and looking at it doesnt it seem like its saying.. okay allow this.. but then lets just block it all anyways? Like doesnt that last line just overthrow the first 2?
After applying that format I haven't gotten any word from the person whether or not it worked. But now I have another situation where I am trying to block someone from using everything but websites and I decided to use the same format. However it doesnt seem to be working in this case.
I am trying to block soemone from using everything but viewing sites, which is port 80 as far as i know.
I've tried many things and nothing is working :\
iptables -A INPUT -s 24.112.23.227 -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port 80 -j ACCEPT
iptables -A INPUT -s 24.112.23.227 -j DROP
Doesnt work. I think http uses tcp but apparantly it uses udp as well. I also have to write a port rule for both, because adding --destination port without a -p doesnt seem to work :\
iptables -A INPUT -s 24.112.23.227 -p tcp --destination-port ! 80 -j DROP
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port ! 80 -j DROP
Doesnt work either for some miraculous reason so I am beginning to think that I am missing something. Maybe it isnt port 80 or its just not enough or I don't know what I am doing wrong. Does anyone?
Are you sure that format is correct? Because it doesnt seem to work (and I channged the ALLOW to ACCEPT).. and looking at it doesnt it seem like its saying.. okay allow this.. but then lets just block it all anyways? Like doesnt that last line just overthrow the first 2?
yes, it's fine... no, the last line doesn't overthrow the others... the packets will hit the last line only after having traversed through the lines before it, so if a packet is sent to ACCEPT by the first lines, it won't even get to the last one...
having said that, it's a better idea to just set your policy to DROP, and that way you don't need a DROP rule at the end, and you can be sure that anything which doesn't go to ACCEPT will in fact go to DROP...
Quote:
After applying that format I haven't gotten any word from the person whether or not it worked. But now I have another situation where I am trying to block someone from using everything but websites and I decided to use the same format. However it doesnt seem to be working in this case.
I am trying to block soemone from using everything but viewing sites, which is port 80 as far as i know.
I've tried many things and nothing is working :\
iptables -A INPUT -s 24.112.23.227 -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port 80 -j ACCEPT
iptables -A INPUT -s 24.112.23.227 -j DROP
Doesnt work. I think http uses tcp but apparantly it uses udp as well. I also have to write a port rule for both, because adding --destination port without a -p doesnt seem to work :\
iptables -A INPUT -s 24.112.23.227 -p tcp --destination-port ! 80 -j DROP
iptables -A INPUT -s 24.112.23.227 -p udp --destination-port ! 80 -j DROP
Doesnt work either for some miraculous reason so I am beginning to think that I am missing something. Maybe it isnt port 80 or its just not enough or I don't know what I am doing wrong. Does anyone?
Thanks
what is your setup like?? i ask because unless this is the *server* that the client is connecting to, then you are using the wrong chain... if these rules are getting run on the client box itself, then you wanna use the OUTPUT chain... if this is a router, then the FORWARD...
The first step is to define POLICY, if your INPUT policy is DROP by default, then you write rules to ALLOW specific ports or IP, on the other hand, if your INPUT policy is ALLOW by default, then you write rules to DROP.
For example, the below is where Default Policy for INPUT is DROP:
------start---------
#Default Input Policy is drop
iptables -P INPUT DROP
iptables -F INPUT
#Allow these
iptables -A INPUT -s 24.112.23.227 -p udp --dport 25000:26000 -j ALLOW
-------end-------
The Machine is a webserver, so INPUT will be correct. The default Policy is ACCEPT (why does everyone say allow? I thought its ACCEPT not ALLOW?)
When people are caught hacking or cheating in the gameserver I run, I block them from the server entirely, to save time manually adding them to each gameserver. I have setup a .sh file like so:
Code:
#!/bin/sh
iptables -F INPUT
###
## HACKERS AND CHEATERS
###
### Shalashaska _ Montreal _ Speed hacker. Reported by Yozizzo. Logs show evidence.
## 70.81.97.236
iptables -A INPUT -s 70.81.97.236 -j DROP
### mikestar _ PA (maybe NJ) _ polygon hacker. Reported by Cr4sh. Verified.
## 68.46.137.249
iptables -A INPUT -s 68.46.137.249 -j DROP
So I just add on the ones that need to be blocked. But sometimes their IP's are dynamic, so I block Ranges when its a foreign country. Like Sweden.
Code:
### [vt9] Vegebro _ Sweden/Netherlands _ Hacker A****le. Reocurring.
## 81.48.235.159
iptables -A INPUT -s 81.48.0.0/16 -j DROP
So in this case, the person has an entire range blocked. But I have a friend who is in this same IP range who doesn't play on the gameservers, but does visit the website. So I want to block this range, but still have the website available. Using:
iptables -A INPUT -s 81.48.0.0/16 -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -s 81.48.0.0/16 -j DROP
..does not work at all. But at the same time neither does this:
iptables -A INPUT -s 81.48.0.0/16 -p tcp --destination-port ! 80 -j DROP
iptables -A INPUT -s 81.48.0.0/16 -p udp --destination-port ! 80 -j DROP
Quote:
Originally Posted by paulchin
#Allow these
iptables -A INPUT -s 24.112.23.227 -p udp --dport 25000:26000 -j ALLOW
If I use that, does this mean 25000 and 26000 , or does it also include all the ports inbetween? Does this work with ! ?
Btw, unrelated question. Should the lines of code have semicolins on the end of them? Seem to be working okay without them.
The Machine is a webserver, so INPUT will be correct. The default Policy is ACCEPT (why does everyone say allow? I thought its ACCEPT not ALLOW?)
yes, it's ACCEPT...
Quote:
When people are caught hacking or cheating in the gameserver I run, I block them from the server entirely, to save time manually adding them to each gameserver. I have setup a .sh file like so:
Code:
#!/bin/sh
iptables -F INPUT
###
## HACKERS AND CHEATERS
###
### Shalashaska _ Montreal _ Speed hacker. Reported by Yozizzo. Logs show evidence.
## 70.81.97.236
iptables -A INPUT -s 70.81.97.236 -j DROP
### mikestar _ PA (maybe NJ) _ polygon hacker. Reported by Cr4sh. Verified.
## 68.46.137.249
iptables -A INPUT -s 68.46.137.249 -j DROP
there's at least two things wrong with that which i can see:
1) since this is a script that runs independant of your regular rules/script, you should NOT flush the chain at the top of the script...
2) you wanna use an "-I" instead of an "-A" as you want the DROP rule to go to the top of the chain, not the bottom...
Quote:
So I just add on the ones that need to be blocked. But sometimes their IP's are dynamic, so I block Ranges when its a foreign country. Like Sweden.
Code:
### [vt9] Vegebro _ Sweden/Netherlands _ Hacker A****le. Reocurring.
## 81.48.235.159
iptables -A INPUT -s 81.48.0.0/16 -j DROP
see #2 above...
Quote:
So in this case, the person has an entire range blocked. But I have a friend who is in this same IP range who doesn't play on the gameservers, but does visit the website. So I want to block this range, but still have the website available. Using:
iptables -A INPUT -s 81.48.0.0/16 -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -s 81.48.0.0/16 -j DROP
..does not work at all.
it should work, but if it doesn't then it's probably because of the order of your rules or something... BTW, it's a good idea to do logging, so that you can diagnose this stuff more easily...
Quote:
But at the same time neither does this:
iptables -A INPUT -s 81.48.0.0/16 -p tcp --destination-port ! 80 -j DROP
iptables -A INPUT -s 81.48.0.0/16 -p udp --destination-port ! 80 -j DROP
once again, you're appending, so it depends on what the rules *above* this one look like...
Quote:
If I use that, does this mean 25000 and 26000 , or does it also include all the ports inbetween? Does this work with ! ?
it's a port range, so it included all the ports in between... to use individual ports you need to either use separate rules or use the multiport match... and yes, port ranges will work with the ! thing...
Quote:
Btw, unrelated question. Should the lines of code have semicolins on the end of them? Seem to be working okay without them.
no, you don't need semicolons at the end of lines in BASH...
BTW, if you post your *complete* iptables scripts we will be able to better understand what's going on... we can also give you some pointers on things you might wanna change, etc...
Thank you for the high coverage. I would like to clarify a few things please..
If I use -I for all of them instead of -A, would this be better. Or should I be using a combination? -I insterts at beginning, -A appends at end correct? I am confused because if I am always appending.. then everything will go in the order that its presented in the script.. so.. wouldnt ...
iptables -A INPUT -s 81.48.0.0/16 -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -s 81.48.0.0/16 -j DROP
... work just fine because the ACCEPT line will still be added before the DROP line? Or is it because im using the wrong port or something to allow http to come through? I am just not 100% sure why I should be using -I .
How do I do logging please?
Why is it bad to flush the chain at the beginning of the script. Before everytime I executred the script and then used iptables -L it would add duplicates. For instance if I had 10 iptables entries in the script and I executed the script, iptables -L would show the 10. If I executed the script a second time, then iptables -L would show 20 entries. The first set of 10, and then right after the same 10 a second time. I added the iptables -F at the beginning of the script so that everytime the script ran, it would clear everything first so it could re-add everything. Why is this wrong? Its made me confused
Thank you very much for your patience, it is extremly appreciated. I keep struggling with these iptables when I need to do something more complex.
If I use -I for all of them instead of -A, would this be better. Or should I be using a combination?
in your main script there's no need to use "-I" anywhere, as you write the rules down in the order you need them... the "-I" is useful in cases such as with an IP blocking script, or whenever you block IPs from the command-line, because you don't want to have to modify anything in your main script, and you want to make sure the packets from the IP you are blocking don't hit any other rules...
Quote:
-I insterts at beginning, -A appends at end correct?
yes...
Quote:
I am confused because if I am always appending.. then everything will go in the order that its presented in the script..
yeah, that's how your main script should go... it's all good...
Quote:
so.. wouldnt ...
iptables -A INPUT -s 81.48.0.0/16 -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -s 81.48.0.0/16 -j DROP
... work just fine because the ACCEPT line will still be added before the DROP line?
yes, but it depends on the rules *above* those lines also... since you aren't showing them to us, there's no telling what might be happening to the packet before those two lines...
Quote:
Or is it because im using the wrong port or something to allow http to come through? I am just not 100% sure why I should be using -I .
HTTP is TCP port 80 and HTTPS is TCP port 443... so your ports should be fine if you're using those...
Quote:
How do I do logging please?
basically speaking, by appending a line like this to the end of your chain:
Code:
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
Quote:
Why is it bad to flush the chain at the beginning of the script.
it's bad to do it at the beginning of your *IP blocking* script (NOT your main script), because it would kill the rules which your main script configured... from your post, it sounded like you were indeed using a separate script to do the IP blocking - please confirm...
Quote:
Before everytime I executred the script and then used iptables -L it would add duplicates. For instance if I had 10 iptables entries in the script and I executed the script, iptables -L would show the 10. If I executed the script a second time, then iptables -L would show 20 entries. The first set of 10, and then right after the same 10 a second time. I added the iptables -F at the beginning of the script so that everytime the script ran, it would clear everything first so it could re-add everything. Why is this wrong? Its made me confused
sorry for the confusion... the above should clarify what i meant...
Quote:
Thank you very much for your patience, it is extremly appreciated. I keep struggling with these iptables when I need to do something more complex.
you're very welcome... so have you considered posting your *complete* script??
i (and several others) actually enjoy tweaking people's iptables scripts, so don't be shy... getting your script(s) tweaked also lets you ask more questions and stuff, which will help you get familiarized with iptables...
The Machine is a webserver, so INPUT will be correct. The default Policy is ACCEPT (why does everyone say allow? I thought its ACCEPT not ALLOW?)
If I use that, does this mean 25000 and 26000 , or does it also include all the ports inbetween? Does this work with ! ?
Btw, unrelated question. Should the lines of code have semicolins on the end of them? Seem to be working okay without them.
Yes, I meant to type ACCEPT, not ALLOW. I'm sorry. It was a mistake. So far I always use ACCEPT.
25000:26000 would allow all ports form 25000 to 26000 inclusive of 25000 to 26000. I don't think that is what you want, better to have two rules. i haven't tried with "!" though.
No semicolons at the end of each rule.
So, this is what i should have typed:
------start---------
#Default Input Policy is drop
iptables -P INPUT DROP
iptables -F INPUT
#Allow these
iptables -A INPUT -s 24.112.23.227 -p udp --dport 25000 -j ACCEPT
iptables -A INPUT -s 24.112.23.227 -p udp --dport 26000 -j ACCEPT
------start---------
#Default Input Policy is drop
iptables -P INPUT DROP
iptables -F INPUT
#Allow these
iptables -A INPUT -s 24.112.23.227 -p udp --dport 25000 -j ACCEPT
iptables -A INPUT -s 24.112.23.227 -p udp --dport 26000 -j ACCEPT
-------end-------
Okay I need to spring another reply on this because I like where this is going if my sudden theory is correct. But first..
If I set INPUT's policy as being DROP, does that mean -anyone- who tries to connect to the webserver will be automatically dropped??? That would be very bad.. Unless it only drops the people listed in the chain but the exception being there is an ACCEPT rule?? I am confused
Okay but I was thinking a bit... and I can create my own chains right? So I technically would be able to create a second INPUT chain that would have a DROP policy and would be separate from the original INPUT chain? (could both chains work at the same time?)
So my question is, if I did that (still have to figure out how) and I added an ACCEPT like you show below...
...would the iptables of this new second chain look at that and say "okay, he wants to accept 24.112.23.227 on udp port 25000, my policy is drop. So specific for this IP -only- I am going to drop everything but udp port 25000" Which means that a different ip like 50.44.333.102 would not be DROPped at all because its not listed in this chain?
I really sincerely appreciate you helping me with this. I know everyone says it but I mean it
Also Win32Sux, if you could answer some of my responses/questions to the concerns you had about using -I and logging flushing the chain at the beginning of the script I would be very grateful!
Okay I need to spring another reply on this because I like where this is going if my sudden theory is correct. But first..
If I set INPUT's policy as being DROP, does that mean -anyone- who tries to connect to the webserver will be automatically dropped??? That would be very bad.. Unless it only drops the people listed in the chain but the exception being there is an ACCEPT rule?? I am confused
no, it's not bad... it's VERY GOOD... this is precisely the purpose of a firewall - to filter all packets except the ones you need... take a look at "idea #1" at this link:
Okay but I was thinking a bit... and I can create my own chains right? So I technically would be able to create a second INPUT chain that would have a DROP policy and would be separate from the original INPUT chain? (could both chains work at the same time?)
no, you can only set policies for built-in chains... you can't do it for user-created chains... besides, it doesn't sound like your setup needs any user-created chains...
Quote:
So my question is, if I did that (still have to figure out how) and I added an ACCEPT like you show below...
...would the iptables of this new second chain look at that and say "okay, he wants to accept 24.112.23.227 on udp port 25000, my policy is drop. So specific for this IP -only- I am going to drop everything but udp port 25000" Which means that a different ip like 50.44.333.102 would not be DROPped at all because its not listed in this chain?
any packet which does NOT match that chain will continue traversing the chain until it either hits a rule it matches, or it runs into the chain's policy...
Quote:
Also Win32Sux, if you could answer some of my responses/questions to the concerns you had about using -I and logging flushing the chain at the beginning of the script I would be very grateful!
i already did - yesterday... take a look at my previous post...
Ah for whatever reason, I missed that reply. Denno why. I will post my entire script below.
But I really need to clarify this so I am definitive on it (sorry). If I set my INPUT policy to DROP. If I have absolutely no entries in the chain at all, will iptables DROP -everything- that tries to connect to the box? Or only in relation to the entries in there?
And, if I want to make sure someone is dropped, but the policy is already DROP, adding a regular iptables -A INPUT -s 4.4.4.4 -j DROP would still work correct?
Here is my script.. blacklist.sh (youll notice in the documentation I refer to some of them as 'A****le' -- which is just to help me remember their level of behaviour. forgive me :P)
Code:
#!/bin/sh
iptables -F INPUT
###
## SERVER CRASHERS:
###
### Unknown Name _ Chicago(?) _ Reported by io.sys
## 71.124.38.53 _ 71.124.113.163
iptables -A INPUT -s 71.124.0.0/16 -j DROP
### -[SD]- Aloe _ Sydney Australia _ Reported by io.sys
## 144.136.99.193 _ CPE-144-136-99-193.nsw.bigpond.net.au
iptables -A INPUT -s 144.136.0.0/16 -j DROP
### Haxta/SupFool/DJ-Lithium _ Brisbane Australia _ Reported by io.sys
## 58.165.124.87 _ 58.167.192.2 _ 58.160.0.0 - 58.175.255.255
iptables -A INPUT -s 58.160.0.0/12 -j DROP
### NME Ivel _ NJ or PA _ Chibi saw attack AV Server
## 68.83.83.114 _ c-68-83-83-114.hsd1.pa.comcast.net
# iptables -A INPUT -s 68.83.83.114 -j DROP
### D!m00n _ Amsterdam _ Crasher/Hacker/Annoyance. Reported by io.sys. Approved.
## 84.95.116.174 _ 84.94.52.27 _ 84.94.52.27 _ 84.94.50.99 _ 84.94.48.212 _ 84.94.86.230 _ 84.94.40.86
iptables -A INPUT -s 84.95.0.0/16 -j DROP
iptables -A INPUT -s 85.94.0.0/16 -j DROP
###
## ABUSIVE_MALIGNANT_RUDE PLAYERS:
###
### Warnker _ Welland Ontario _ Hacks/Cheats at CS, Angry Kid
## 69.49.45.124 _ 69.49.32.0 - 69.49.47.255
iptables -A INPUT -s 69.49.32.0/20 -j DROP
### Bastard22 _ Boston _ It's Bastard22 >_>
## 141.154.0.0/16 _ 151.203.0.0/16
iptables -A INPUT -s 141.154.0.0/16 -p udp --destination-port 25555 -j ACCEPT
iptables -A INPUT -s 151.203.0.0/16 -p udp --destination-port 25555 -j ACCEPT
iptables -A INPUT -s 141.154.0.0/16 -p udp --destination-port 10500 -j ACCEPT
iptables -A INPUT -s 151.203.0.0/16 -p udp --destination-port 10500 -j ACCEPT
iptables -A INPUT -s 141.154.0.0/16 -j DROP
iptables -A INPUT -s 151.203.0.0/16 -j DROP
# iptables -A INPUT -s 141.154.0.0/16 -p tcp -j DROP
# iptables -A INPUT -s 151.203.0.0/16 -p tcp -j DROP
### =TS= Clan [Took over server, votekicked, etc]
# =TS= DaOnLyJoSh joining game (24.165.248.150:1855)
# =TS= Supressor joining game (24.110.33.9:23083)
# =TS= B RAD joining game (64.180.248.149:61612)
### .:/SSS\:.Cap.America _ Hickville NY _ Rude guy
## 68.195.107.45 _ 68.192.0.0 - 68.199.255.255
# iptables -A INPUT -s 68.192.0.0/13 -j DROP
# Jess 68.193.201.132 [INNOCENT, Affected by above]
### [] (chibi: his name is a box character) _ Blacksburg VA _ Jerk
## 198.82.110.156 _ 198.82.0.0 - 198.82.255.255
iptables -A INPUT -s 198.82.0.0/16 -j DROP
### <---ZamOraL_ClAn---> _ Amsterdam(?) _ Asshole :)
## 88.152.1.214
iptables -A INPUT -s 88.152.1.214 -j DROP
###
## HACKERS AND CHEATERS
###
### Rento _ Philadelphia _ Fly Hack. Reported by Xenocide
## 68.235.196.59 _ hemet-ca-cuda-1-eacbo1-00-hemeca-68-235-196-59.ontrca.adelphia.net
iptables -A INPUT -s 68.235.196.59 -j DROP
### Shalashaska _ Montreal _ Speed hacker. Reported by Yozizzo. Logs show evidence.
## 70.81.97.236
iptables -A INPUT -s 70.81.97.236 -j DROP
### mikestar _ PA (maybe NJ) _ polygon hacker. Reported by Cr4sh. Verified by Xenocide
## 68.46.137.249
iptables -A INPUT -s 68.46.137.249 -j DROP
### JESUS _ PA (maybe VA) _ flies off ground really fast. Reported by Sin
## 71.240.153.243
iptables -A INPUT -s 71.240.153.243 -j DROP
### poo _ chicago _ speed hacking . reported by mike araujo.
## 24.13.75.134
iptables -A INPUT -s 24.13.75.134 -j DROP
### You _ NYC _ speed hacking. reported by morik
## 88.232.3.191
iptables -A INPUT -s 88.232.3.191 -j DROP
### DOCTOR 90210 _ AL (maybe GA) _ speed hacking. reported by steaker. No Evidence?
## 24.214.105.121
# iptables -A INPUT -s 24.214.105.121 -j DROP
### Someone _ Texas? _ No information provided? Chibi did approve however.
## 69.111.163.18
iptables -A INPUT -s 69.111.163.18 -j DROP
### Superman _ AOL (usa) _ Reported by dl_Chrono/Ivel (used !admin). Superman Admitted.
## 172.163.172.221
iptables -A INPUT -s 172.163.172.221 -j DROP
### {fuel} Shmack _ Victoria Australia _ warped to flag to capture it (INF). Chibi saw!
## 220.253.30.237
iptables -A INPUT -s 220.253.30.237 -j DROP
### jesusgonorrhea _ MO (maybe) _ fires 2 m79s at once. witness by Chibi
## 24.180.61.88
iptables -A INPUT -s 24.180.61.88 -j DROP
### [TMOD] Angel =PL= _ Poland _ fired two laws quickely. witnessed by Chibi
### [TMOD] Marko /PL\ _ Poland _ associated with Angel. Chibi approved
## 83.9.19.226 (angel) _ 83.9.8.208 (marko)
iptables -A INPUT -s 83.9.0.0/16 -j DROP
### SUPERMAN xDD _ Chile _ speed hacker. verified by Chibi
## 201.215.9.69
iptables -A INPUT -s 201.215.9.69 -j DROP
### hack giver _ texas? _ offering hacks to people. loser. banned by Chibi
## 70.234.144.51
iptables -A INPUT -s 70.234.144.51 -j DROP
### God _ texas? _ teleport/speed hack. A****le. witnessed by cT and Chibi
## 65.43.170.228 _ 65.42.0.0 - 65.43.255.255 _ 65.42.0.0/15
iptables -A INPUT -s 65.43.170.228 -j DROP
### Erick _ Toronto (Montreal maybe) _ speed hacker. Reported by 67frogs and bunny. approved.
## 67.68.226.55
iptables -A INPUT -s 67.68.226.55 -j DROP
### Soldat Simon (swe) _ Sweden _ speed hacker/double m79. Witness by Chibi
## 81.229.223.3
iptables -D INPUT -s 81.229.223.3 -j DROP
### [vt9] Vegebro _ Sweden/Netherlands _ Hacker A****le. Approved by Chibi
## 81.48.235.159 _ 81.250.237.198 _ 81.53.245.113 _ 83.195.146.200 _ 86.195.211.83
## MEGA BLOCKAGE: 80.0.0.0 - 87.255.255.255 _ 80.0.0.0/5
iptables -A INPUT -s 81.48.0.0/16 -j DROP
iptables -A INPUT -s 81.250.0.0/16 -j DROP
iptables -A INPUT -s 81.53.0.0/16 -j DROP
iptables -A INPUT -s 83.195.0.0/16 -j DROP
iptables -A INPUT -s 86.195.0.0/16 -j DROP
### [vt9] Raptor2800 _ Switzerland. Hacker A****le. Approved by Chibi.
## 195.186.220.124 _ 83.77.127.15 _ 83.79.88.58 _ 85.1.197.117
#iptables -A INPUT -s 83.77.0.0/16 -p udp -j DROP
#iptables -A INPUT -s 83.78.0.0/16 -p udp -j DROP
#iptables -A INPUT -s 83.79.0.0/16 -p udp -j DROP
#iptables -A INPUT -s 85.1.0.0/16 -p udp -j DROP
#iptables -A INPUT -s 195.186.0.0/16 -p udp -j DROP
# MEGA vt9 BLOCKAGE:
# iptables -A INPUT -s 81.0.0.0/8 -j DROP
# iptables -A INPUT -s 80.0.0.0/5 -j DROP
# Felix _ Switzerland _ 83.77.107.29 NOT A HACKER (fs.com enabled above)
### Van Helsing _ Poland or Amsterdam _ Superman Hack. Left as soon as I said his name
## 83.21.129.233
iptables -A INPUT -s 83.21.129.233 -j DROP
### **G**E**J**DGBD _ Sweden or Amsterdamn _ Superman Hack. Reported by Sin. Confirmed.
## 81.15.216.141
iptables -A INPUT -s 81.15.216.141 -j DROP
### Coolman60000 _ Puerto Rico _ Teleport/Speed Hack. Reported by Snowden. Witnesses. Approved.
## 70.45.41.60
iptables -A INPUT -s 70.45.41.60 -j DROP
### Grave Diger _ Ottawa (Sympatico) _ Speed Hack. Reported by Issus. Witnesses. Approved.
## 209.226.121.80
iptables -A INPUT -s 209.226.121.80 -j DROP
### Zombie _ Sacremento Calif _ Speed Hack. Reported by Vision. Witnesses. Approved.
## 71.137.192.244
iptables -A INPUT -s 71.137.192.244 -j DROP
###
## Flooders and Spammers:
###
### me! _ finland _ join flooding
## 88.112.41.198
# iptables -A INPUT -s 88.112.41.198 -j DROP
My problem areas are these bits:
Code:
### Dasake _ Boston _ It's Dasake >_>
## 141.154.0.0/16 _ 151.203.0.0/16
iptables -A INPUT -s 141.154.0.0/16 -p udp --destination-port 25555 -j ACCEPT
iptables -A INPUT -s 151.203.0.0/16 -p udp --destination-port 25555 -j ACCEPT
iptables -A INPUT -s 141.154.0.0/16 -p udp --destination-port 10500 -j ACCEPT
iptables -A INPUT -s 151.203.0.0/16 -p udp --destination-port 10500 -j ACCEPT
iptables -A INPUT -s 141.154.0.0/16 -j DROP
iptables -A INPUT -s 151.203.0.0/16 -j DROP
# iptables -A INPUT -s 141.154.0.0/16 -p tcp -j DROP
# iptables -A INPUT -s 151.203.0.0/16 -p tcp -j DROP
As far as I know this worked, but its not been confirmed. I need him to be blocked from all ports accept 25555 on udp and 10500 on udp.
Code:
### [vt9] Raptor2800 _ Switzerland. Hacker A****le. Approved by Chibi.
## 195.186.220.124 _ 83.77.127.15 _ 83.79.88.58 _ 85.1.197.117
iptables -A INPUT -s 83.77.0.0/16 -p udp -j DROP
iptables -A INPUT -s 83.78.0.0/16 -p udp -j DROP
iptables -A INPUT -s 83.79.0.0/16 -p udp -j DROP
iptables -A INPUT -s 85.1.0.0/16 -p udp -j DROP
iptables -A INPUT -s 195.186.0.0/16 -p udp -j DROP
# MEGA vt9 BLOCKAGE:
# iptables -A INPUT -s 81.0.0.0/8 -j DROP
# iptables -A INPUT -s 80.0.0.0/5 -j DROP
# Felix _ Switzerland _ 83.77.107.29 NOT A HACKER (fs.com enabled above)
This is the one thats really been a problem. Felix is a friendly guy who is affected by the the ranges. He is still blocked out because all my attempts at adding iptables -A INPUT -s 83.77.0.0/16 -p udp --destination-port 80 -j ACCEPT for each one, infront of the DROPs, had failed. I just need him to be able to visit our website. I wonder if its because I needed to add port 443 as well?
Also, when I run the blacklist.sh script I do get a warning:
[root@takkun root]# ./blacklist.sh
iptables: Bad rule (does a matching rule exist in that chain?)
But none of the rules matched or anything.
Again, thanks for the help and sorry that I'm slow :P
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
How ahout setting INPUT policy to DROP
