LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables : how do I block inbound traffic from one ip address only? (https://www.linuxquestions.org/questions/linux-security-4/iptables-how-do-i-block-inbound-traffic-from-one-ip-address-only-159829/)

Apollo77 03-19-2004 10:46 AM
iptables : how do I block inbound traffic from one ip address only?
 
I've been running an email server for about 1 year. Lately I've been getting a lot of spam originating from one ip address to non-existent email addresses at my domain. The bounces then bounce back. Rather than trying to filter this stuff, I want to make my server ignore this IP address. I want them to time out without getting any kind of affirmative response from my server. Somehow that seems like a better solution to spam than simply filtering to prevent the mail from being delivered once it's already been accepted by my server. Make the spammer suffer a bit by timing out, I say.

I'm probably being lazy by asking this here, but quick research has not turned up an answer. Also, maybe someone else will need a quick answer to this exact question:

How do I use iptables to drop packets from that one ip address? I also want to ensure the rule gets re-instated after re-booting.

Thanks!
Apollo

forrestt 03-19-2004 11:27 AM
I believe this should work. Replace <filter name> with the name of your filter (probably RH-Firewall-1-INPUT). If it does, leave off the "/sbin/iptables" from the beginning and add it to the file /etc/sysconfig/iptables.

% /sbin/iptables -A <filter name> -s IP-Address -j DROP

To see your current firewall rules type:

% /sbin/iptables -L

Hope this helps

Forrest

Oh, BTW, What is the IP so we can all add the rule :D !!!

Apollo77 03-19-2004 01:02 PM
Almost there I think, but I need a bit more help. As you suspected, the server does run Redhat (8.0). When I try "/sbin/iptables -L" I get this output:
=======
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
=======

Not sure what that means, but probably looks like everything is wide open. Well it is. I guess I should mention my setup. The server is behind a router/firewall (different box). Obviously port 25 is open and directed to the RH box with the email server. The server itself does not run a firewall -- all ports open.

Ok, so /etc/sysconfig/iptables does not exist. I need to add it, correct? Or might it be called something else?

Apollo

PS. I'm tempted to post the offending ip address, but I guess I will refrain. If anyone needs Viagra or a mail-order bride let me know and I'll send it to you. :D

forrestt 03-19-2004 01:48 PM
Looks like you might not have iptables installed. I'm pretty sure that installing it adds the /etc/sysconfig/iptables file. If not, you will need to download the rpm and install it before performing the above steps. (You will probably also need to start the firewall /etc/init.d/iptables start).

Run the command:

% rpm -qa |grep iptables

to see if you already have iptables installed. If you already have it installed, copy this:

-----------------------------<begin copy on next line>---------------------------------------------
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:RH-Lokkit-0-50-OUTPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A OUTPUT -j RH-Lokkit-0-50-OUTPUT
-A RH-Lokkit-0-50-INPUT -s IP-Address -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s dns.dns.dns.no1 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s dns.dns.dns.no2 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j DROP
-A RH-Lokkit-0-50-OUTPUT -j ACCEPT
COMMIT
---------------------------------------------<end copy on previous line>-----------------------------
to /etc/sysconfig/iptables. Change the lines with dns.dns.dns... to the ip's of your DNS server. If you have more than two servers, add an additional line for each server.
You also need to change the line with IP-Address to instead have the offending IP. This firewall ruleset allows web, ssh, smtp, and telnet through (except from your fiend's IP in which it drops all traffic). The lines like:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT

are the ones that affect this. If you need another service then find out what ports you need to open:

% grep <service name> /etc/services

if you grep timed for example, you will get back:

timed 525/tcp timeserver
timed 525/udp timeserver

so you will need to add two lines:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 525 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 525 --syn -j ACCEPT

Repeat for each service. If you want to remove a service, just comment out the lines that affect that service.

Once you are done, you will need to start iptables:

/etc/init.d/iptables start

Hope this helps,

Forrest

Apollo77 03-19-2004 03:10 PM
Actually, I had it installed, but I had previously used a Redhat GUI ("Security Level") to essentially turn it off. I went back in and turned the firewall on with this GUI, but opened all the ports I regularly use. That created /etc/sysconfig/iptables. This GUI program actually added in my DNS servers and apparently everything else needed. The file now looks very much like the one you posted.

Final question:

For this to work, do I need to insert the DROP line you provided in prior to this line that allows email packets through?:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT

Or does the order not matter?

Your help on this is very much appreciated.

Apollo

Apollo77 03-19-2004 03:22 PM
Actually, that was probably a silly question. I see you placed the new DROP line right above the port 80 line. I have done the same. However, out of curiosity does order matter? I'm assuming port 25 packets would get through from the offending IP address if I placed the new line after the port 25 ACCEPT line, correct? (note: I do realize the new line will block all traffic from that ip address, not just port 25).

Thanks again. I think I have this working.

Apollo

matthanley 03-19-2004 06:43 PM
Yes, the order of the rules matters. iptables will execute the first rule it comes to that matches your packet without reading the rest of the chain. So, putting the DROP before the ACCEPT is what you needed to do.

forrestt 03-22-2004 10:22 AM
Thanks Matt. I didn't see Apollo's post until this morning.

Apollo, hope everything is working now.

Forrest


All times are GMT -5. The time now is 02:58 AM.