How to ban question: Anyone know how?

Lazy · 02-26-2006, 02:49 PM

Hi,

I using Suse 10.0 64 version. Was wondering how I use the firewall to ban a particular ip address. Is there a way to do this from the shell? If so what is the syntax?

the ip question is 86.84.109.31

Thank you, my server is under a DOS attack from this IP and any assistence would be greatly appreciated

rhoekstra · 02-26-2006, 03:10 PM

as root:

Code:

iptables -I INPUT -s 86.84.109.31 -j DROP

rhoekstra · 02-26-2006, 03:11 PM

What this does:

In the INPUT chain (where rules reside to match for packets getting into the machine), all packets that come from 86.84.109.31, it will be DROPPED..

Mara · 02-26-2006, 03:12 PM

iptables -A INPUT -s 86.84.109.31 -j DROP
The place of the IP is quite clear

Note: it adds a new rule to INPUT. If you already have a firewall configured it may be that the requests are already accepted before this rule is taken into consideration. So, if you have a firewall, put it close to the beginning of the INPUT section.

Lazy · 02-26-2006, 06:14 PM

Noob question: Do I have to restart the firewall for the bans tork, if so how?

rickh · 02-26-2006, 06:47 PM

Of course when you reboot this rule as set out above will disappear, and have to be re-entered.

A better solution for the casual user is to use an IPTABLES front-end gui like Firestarter (Gnome) or Guarddog (KDE). Set the blocking rule up in one of those and it'll stay there. If you have a router, it's also easy to set such a rule up on that firewall.

piforever · 02-26-2006, 07:37 PM

just save it

/sbin/iptables-save > /etc/sysconfig/iptables

and no need to restart

chibi · 02-27-2006, 01:40 AM

A good site to teach you basic IPTABLE stuff is here:

http://www.justlinux.com/nhf/Securit...es_Basics.html

Also if their ip is dynamic and not static, they just need to restart so they can DOS you again. So if you'd like to ban an entire range you would do:

iptables -A INPUT -s 86.84.0.0/16 -j DROP and thats the same as 86.84.*.*

86.0.0.0/24 would be 86.*.*.* respectively.

Hope that helps you too. I've never used firestarter I always type in my iptables manually or add it to a script ill execute on restart.

Also if you wanna look at your iptables, use the iptables -L command.

ALInux · 02-27-2006, 05:36 AM

iptables -I INPUT -s 86.84.109.31 -j DROP

This will add the rule as the first rule..this way you will guaranteet that there are no rules preceding this rule that cancel it out.

Note: -I takes nubmer for order...without a number the default is 1

Poetics · 02-27-2006, 11:32 AM

-Fantastic- link, chibi

tbeehler · 04-11-2006, 10:21 AM

Thanks guys. This really helped me out when I found someone from China was trying to port scan me. I appreciate it!

Travis

simcox1 · 04-11-2006, 02:04 PM

There's also /etc/hosts.allow and hosts.deny which you can use to block connections.

tbeehler · 04-11-2006, 02:46 PM

Quote:

Originally Posted by simcox1

There's also /etc/hosts.allow and hosts.deny which you can use to block connections.

Does Postfix use the hosts.deny and hosts.allow? or do I have to specify it in the main.cf file?

simcox1 · 04-11-2006, 03:01 PM

It's nothing to do with your mta. It's just another way to block specific hosts. Or allow them. If you look at the manuals for them it'll tell you more. I just thought I'd mention it. man 5 hosts_access and man 5 hosts_options.

Capt_Caveman · 04-11-2006, 04:53 PM

As far as I know, Postfix doesn't have support for tcp_wrappers/libwrap and doesn't use host.allow/deny. You need to be very carefull when using tcp_wrappers to make sure that app in question actually uses it (things like Apache and Postfix don't by default). You can configure daemons to run through xinetd and use tcp_wrappers, but Postfix has it's own access control file for that purpose (/etc/postfix/access).