Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been trying to ban IP addresses from port 25 using iptables.
To check it worked okay, I thought I would try and ban yahoo and gmail, as I could test these okay.
Unfortnately the emails seem to be getting through.
I know that yahoo and gmail use lots of mail servers, but I thought I banned a range and also I looked in my headers of emails that got through and saw IP addresses that were listed in etc/sysconfig/iptables.
Here are some examples of the syntax I have tried.
I have also tried DROP as well as REJECT. I have read as much as my brain can take on iptables and was wondering if anyone could spot a glaring error I have made.
The linux distribution I am using is RH9 and this seems to use a script called LOKKIT to set-up iptables. I am directly editing etc/sysconfig/iptables. I know that the rules are working as iptables -L lists all of them for me.
Oh and I am restarting the iptables with service iptables restart.
Could be a problem with rule order. If there are any other rules preceding that rule, they may accept the packet before your reject rule. It might help if you posted your full iptables rules (with any public IP addresses removed).
Yeah, looks like it. There are actually several rules that would match smtp packets before your rules would even apply. Do the following:
At the command line enter your rules like this:
iptables -I INPUT -i eth0 -p tcp -s xx.xx.xx.xx --destination-port 25 -j DROP
Notice that there is an 'I' before the words "iptables" and "INPUT". This will insert the rule at the very beginning of the firewall rather than append it to the bottom (which is what the -A does). Once you've entered all your rules like that, then do:
service iptables save
which will save your rules to /etc/sysconfig/iptables
Originally posted by tantric Hi
Thanks for the swift reply, you pointed me in the right direction
I hashed out the line
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
and this seemed to do the trick
That was the one I was thinking of . Was that rule included as part of the lokkit rules or did you add that on your own? It made me curious 'cause it basically disabled all the other rules that followed as well.
I found tonight that I couldnt see any of my server websites, send mail or use ssh!! Aaargh! Luckily a phone call to a guy who houses the server and he removed the hashed out entries.
I guess I may put my rules before the lokkit ones now to see how that goes
Then use the accept on eth0 at the end.
I have also written a php page that allows me to build a Iptables line when I enter an IP address after the page URL ?ip=1.1.1.1 or whatever. It then appends it to a file in my httdocs directory.
Is there any way I can write a bash script to pull the lines out of the file and insert them into Iptables. I could then run it regular as a cron job. Guess a crash course in bash scripting is called for!!
If you list all the services that you need and a basic description of your network, I'm sure we can come up with a basic firewall that is better than the lokkit one you posted earlier.
Is there any way I can write a bash script to pull the lines out of the file and insert them into Iptables. I could then run it regular as a cron job. Guess a crash course in bash scripting is called for!!
Yup. If you have the IP addresses listed one after another in a single text file, then it's pretty simple (famous last words ) to have a script run by cron that can update iptables with new addresses. Here's an example:
Code:
#!/bin/bash
FILE=`cat /path/to/blocklist/file`
for i in $FILE
do
/sbin/iptables -A INPUT -s $i -j DROP
done
Though you'd probably want to do a check to see if an IP was already added as well.
--edit--
To be honest, you should be very carefull about how you implement the PHP part of this. Having PHP interact with a file that's then executed by cron running under root is a dangerous proposition and could be abused in a number of ways if an attacker had access or new how it worked. Could explain what the PHP part does? Is this just a web interface for adding IPs to iptables? If so, there are probably a lot more secure ways.
Last edited by Capt_Caveman; 03-22-2005 at 06:51 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
. Was that rule included as part of the lokkit rules or did you add that on your own? It made me curious 'cause it basically disabled all the other rules that followed as well.
) to have a script run by cron that can update iptables with new addresses. Here's an example:
