Hello all...

I think what I need is some ipchains/firewall help. I'm a fairly experienced Linux user, but haven't done much with ipchains at all. I'm using RedHat 7.0.

Latley, I've been experiencing a strange problem in which my apache server is unreachable for 2-4 minutes, and then is fine again. This happens a few times per day. During the times it is going on, nmap shows the port as "filtered."

I finally caught it "in the act" today, and did a netstat, and found about a million connections on my port 80 from www.above.net. The screen just kept on scrolling with them. Now sure what they're doing or why, but I just want to block that domain from hitting my port 80.

In RedHat 7.0, what's the best way to do this? I assume I'll need an ipchains rule. I'm not sure what that rule would be, though. Also, I'm not sure where to put it so that it always runs at boot time (/etc/sysconfig/ipchains?).

Thanks in advance for any help you can offer.

Jeff C.

(host www.above.net: www.above.net. has address 207.126.96.163)
To block this domain, use rule:
/sbin/ipchains -A input -p tcp -i eth0 -s 207.126.96.163 --destination-port 80 -j DENY

If RH 7.0 ipchains works like RH 7.1 iptables saves it's scripts it'll be saved at reboot time (IIRC), else you can use the ipchains-save script, else you can add the line to rc.local. Rc.local is a bad thing cuz if you manually reload rules it won't be taken into account. Rusty's old ipchains rpm package (again, IIRC) puts the firewall script in /etc/rc.d as rc.firewall, instead of using /etc/sysconfig.