prevent an IP to get out?

jimval7 · 03-17-2003, 05:24 PM

I want to know how I can put in my rc.firewall script to disable an IP to get out. I don't want a certain IP to get out to the internet. How can I do this in my rc.firewall script?

Capt_Caveman · 03-18-2003, 12:05 AM

Assuming that your linux box in question is acting as a router for the other machines, you can add an ipchains rule. Something like:
ipchains -A -i eth1 -o eth0 -j REJECT
where (-i eth1) is your internal NIC connected to the LAN and (-o eth1) is your external NIC connected to the internet.

-DISCLAIMER-
You definitely want to verify that rule as my memory of RH7.0 and ipchains is fading, but the general idea should work.

unSpawn · 03-18-2003, 05:05 PM

Missed the chain: -A OUTPUT

Capt_Caveman · 03-18-2003, 05:14 PM

Whoops! Thought that didn't look right.
Thanks unSpawn.

Hangdog42 · 03-18-2003, 06:51 PM

Maybe I'm missing something, but isn't that solution going to shut down ALL addresses? If I'm reading the orignal question correctly, the problem is to shut down a single IP address. In iptables I think something like:

iptables -A OUTPUT -s XXX.XXX.XXX.XXX -j REJECT

might work, but I don't know what the ipchains equivalent would be.

unSpawn · 03-18-2003, 08:43 PM

isn't that solution going to shut down ALL addresses?
Whoops! Thought that didn't look right.
Thanks Hangdog42. :-]

Capt_Caveman · 03-18-2003, 08:52 PM

Yeah, just like we said in the first place:
iptables -A OUTPUT -s XXX.XXX.XXX.XXX -j REJECT

Capt_Caveman · 03-18-2003, 09:12 PM

I just double checked and we're all wrong. The target chain is lower case in ipchains (He's using RH7.0). So:
ipchains -A output -s XXX.XXX.XXX.XXX -j REJECT

doh!

unSpawn · 03-18-2003, 10:06 PM

At least you spotted it...

Capt_Caveman · 03-18-2003, 10:57 PM

I just realized he's using the 2.4.17 kernel, so he might have iptables running after all. So don't mind me, I'm just going to go back to sniffing glue now.

jimval7 · 03-19-2003, 01:49 PM

Would it still be the same manner? iptables versus ipchains?

Capt_Caveman · 03-19-2003, 02:48 PM

No iptables and ipchains use slightly different syntax:

For iptables:
iptables -A OUTPUT -s XXX.XXX.XXX.XXX -j REJECT

For ipchains:
ipchains -A output -s XXX.XXX.XXX.XXX -j REJECT

Notice the difference. So the question really is are you running iptables or ipchains. RedHat7.0 used ipchains but if you really updated your kernel all the way to version 2.4.17 (which I personally think is kind of hard-core) you could be using iptables.

jimval7 · 03-19-2003, 03:00 PM

I'll give it a try tonight, I'll update my results.

jimval7 · 03-27-2003, 11:08 PM

I entered this command and they can still get through after I've rebooted.

Capt_Caveman · 03-28-2003, 12:20 AM

A couple of questions:
1. Are you using iptables or ipchains?
2. Are you doing any kind of forwarding or masquerading(NAT)?
3. Did you put that rule before or after your rule(s) that allows the other addresses through.

If you're doing any kind of forwarding or masquerading for your LAN addresses, it might be bypassing the OUTPUT chain. If so, add a rule before the forwarding or masquerading lines that specifically prohibits that address from going through.

If your forwarding for example:

iptables -A FORWARD -i eth1 -o eth0 -s xxx.xxx.xxx.xxx -j REJECT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

-or just this-
iptables -A FORWARD -i eth1 -o eth0 -s !xxx.xxx.xxx.xxx -j ACCEPT

If your using ipchains, the syntax will be different. Also, post the relevent iptables rules, network topology, etc. It's kind of hard to figure out what the problem is if we don't have know the whole picture.