Blocking IP's with IP Tables blocks actual traffic

ninjaz · 03-29-2006, 10:41 AM

I get people trying ssh attacks against my computer and I have tried blocking their IP addresses with the firewall in ip tables and it starts to block legitimate traffic. At one point it was blocking traffic going out of the computer. All I did was set up a rule that would drop all traffic coming from that ip or blocks of ip's. Any ideas?

Centinul · 03-29-2006, 11:07 AM

I would suggest that you post the rules and/or firewall script so we can all take a look at it.

ninjaz · 03-29-2006, 05:16 PM

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
# 210.253.118.91
-A RH-Firewall-1-INPUT -s 210.253.118.91 -j REJECT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 10000 --state NEW -j ACCEP
T
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 8080 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state -m udp --dport 53 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 53 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed

win32sux · 03-31-2006, 02:35 AM

i haven't looked at your iptables rules, cuz honestly redhat's way of doing rules confuses the heck out of me, but to block some IP which is bugging you just execute something like this:

Code:

iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

where xxx.xxx.xxx.xxx is of course the IP you want to deny all access to your box... this rule when executed from the command line should work no matter what your other rules are doing, as the "-I" sends it to the top of the chain...

~=gr3p=~ · 03-31-2006, 03:26 AM

Also try using denyhosts kool program

http://denyhosts.sourceforge.net/

Also it's better to run SSH (when giving access to the internet) on a different port rather than the default 22.

ninjaz · 04-05-2006, 05:31 PM

Thanks gr3p, denyhosts works great.