LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-03-2009, 04:20 PM   #16
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380

Quote:
Originally Posted by anomie View Post
If you are only blacklisting for certain services, and can add extra criteria to the -j CHECK_IP rule, all the better. For example, if you are only blacklisting those addresses to tcp port 22 (ssh), then add the appropriate criteria to the rule
Excellent point, anomie. Thanks for posting that.

Last edited by win32sux; 04-03-2009 at 04:28 PM.
 
Old 04-14-2009, 10:41 PM   #17
fruitwerks
Member
 
Registered: Apr 2009
Posts: 80

Original Poster
Rep: Reputation: 15
I need to block all traffic from these and all is working well. I also run a transparent proxy. Is there a way to route port 80 request for these back to my webserver? This way it will give a 404 instead of taking the time to time-out.
 
Old 04-15-2009, 12:04 AM   #18
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by fruitwerks View Post
I need to block all traffic from these and all is working well. I also run a transparent proxy. Is there a way to route port 80 request for these back to my webserver? This way it will give a 404 instead of taking the time to time-out.
Yes, you can DNAT the packets. It's much quicker to just switch from DROP to REJECT, though. Plus it's an application-neutral method, unlike an HTTP status code.

Last edited by win32sux; 04-15-2009 at 12:05 AM.
 
Old 04-15-2009, 01:43 PM   #19
fruitwerks
Member
 
Registered: Apr 2009
Posts: 80

Original Poster
Rep: Reputation: 15
ok, so you are suggesting to change all my drop statements to rejects? I think I had chosen drop for a specific reason... but I can't recall why it was so important. Using reject would cause a return ('fail') instead of a timeout?

Fun Stuff!
 
Old 04-15-2009, 06:20 PM   #20
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by fruitwerks View Post
ok, so you are suggesting to change all my drop statements to rejects?
Only because you mentioned you didn't want these clients to need to wait for a timeout.

Quote:
I think I had chosen drop for a specific reason... but I can't recall why it was so important. Using reject would cause a return ('fail') instead of a timeout?
Usually people go with DROP instead of REJECT when they want to be stealthy.

From man iptables:
Code:
   REJECT
       This  is  used  to send back an error packet in response to the matched
       packet: otherwise it is equivalent to DROP so it is a terminating  TAR‐
       GET,  ending  rule  traversal.  This target is only valid in the INPUT,
       FORWARD and OUTPUT chains,  and  user-defined  chains  which  are  only
       called  from those chains.  The following option controls the nature of
       the error packet returned:

       --reject-with type
              The type given can be
               icmp-net-unreachable
               icmp-host-unreachable
               icmp-port-unreachable
               icmp-proto-unreachable
               icmp-net-prohibited
               icmp-host-prohibited or
               icmp-admin-prohibited (*)
              which return the appropriate ICMP error  message  (port-unreach‐
              able is the default).  The option tcp-reset can be used on rules
              which only match the TCP protocol: this causes a TCP RST  packet
              to  be  sent  back.   This  is  mainly useful for blocking ident
              (113/tcp) probes which frequently occur  when  sending  mail  to
              broken mail hosts (which won’t accept your mail otherwise).

       (*)  Using  icmp-admin-prohibited  with  kernels that do not support it
       will result in a plain DROP instead of REJECT

Last edited by win32sux; 04-15-2009 at 06:24 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
importing audio CD jani1982 Linux - Software 2 03-29-2008 09:11 AM
Importing favourites from IE sipickles Linux - Newbie 3 10-29-2007 12:56 PM
Mailbox Importing skulbite Linux - Server 3 01-29-2007 11:12 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
importing??? mojozoox Linux - Software 3 08-25-2003 08:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration