LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Blocking IP's with IP Tables blocks actual traffic (https://www.linuxquestions.org/questions/linux-security-4/blocking-ips-with-ip-tables-blocks-actual-traffic-429668/)

ninjaz 03-29-2006 10:41 AM
Blocking IP's with IP Tables blocks actual traffic
 
I get people trying ssh attacks against my computer and I have tried blocking their IP addresses with the firewall in ip tables and it starts to block legitimate traffic. At one point it was blocking traffic going out of the computer. All I did was set up a rule that would drop all traffic coming from that ip or blocks of ip's. Any ideas?

Centinul 03-29-2006 11:07 AM
I would suggest that you post the rules and/or firewall script so we can all take a look at it. :)

ninjaz 03-29-2006 05:16 PM
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
# 210.253.118.91
-A RH-Firewall-1-INPUT -s 210.253.118.91 -j REJECT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 10000 --state NEW -j ACCEP
T
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 8080 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state -m udp --dport 53 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 53 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed

win32sux 03-31-2006 02:35 AM
i haven't looked at your iptables rules, cuz honestly redhat's way of doing rules confuses the heck out of me, but to block some IP which is bugging you just execute something like this:
Code:
iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
where xxx.xxx.xxx.xxx is of course the IP you want to deny all access to your box... this rule when executed from the command line should work no matter what your other rules are doing, as the "-I" sends it to the top of the chain...

~=gr3p=~ 03-31-2006 03:26 AM
Also try using denyhosts kool program :)

http://denyhosts.sourceforge.net/

Also it's better to run SSH (when giving access to the internet) on a different port rather than the default 22.

ninjaz 04-05-2006 05:31 PM
Thanks gr3p, denyhosts works great.


All times are GMT -5. The time now is 07:57 AM.