Topic: Port Blocking.

[Chris]

How do I modify e-smith 5.5 to block ports on a range of IP's?

Ex. 192.168.168.50 ----> 192.168.168.100 block port 80 internaly.

[Bill Talcott]

Could you clarify a bit? You want the IPs from 192.168.168.50 through 192.168.168.100 to not be able to access any port 80?

[Chris]

That's correct.  I do not want users on the lan to have browser access but I want them to be able to send and receive e-mail.

[Nathan Fowler]

Jump to console, create a new file called "iplistdeny"
Paste (EXACTLY AS IT APPEARS, SPACING IS IMPORTANT!):

#!/bin/sh
#Nathan Fowler
#Jan 22, 2003

#Modify these values to suit your needs.
#ServerIP is the IP address of the local server
Port="80"
Proto="tcp"
serverIP="192.168.168.1"
prefixIP="192.168.168."
startIP=50
endIP=100
outfile="iplist.txt"

#Do not modify beyond this line unless you know what you're doing.
for ((curIP=startIP ; curIP <= endIP ; ++curIP))
do
  IP="$prefixIP$curIP"
  ChainRule="/sbin/ipchains -A input -p $Proto --dport $Port --source $IP -d ! $serverIP -j DENY"
  echo "$ChainRule" >> $outfile
done
exit 0
#EOF

Next, chmod +x iplistdeny from console
./iplistdeny

It should create your IP Chain list, if you want to add it to /etc/rc.d/rc.local you can simply:
cat iplist.txt >> /etc/rc.d/rc.local

Or you could paste it manually, or chmod +x iplist.txt and execute it.  Either way, it's up to you.

The file will create a list of ipchain commands to deny the specified port for the specified IP range (uses only the fourth octet).  It will deny the listed IP addresses access to $Port using $Proto EXCEPT when it is talking directly to $serverIP

Hope this helped,
Nathan