Topic: firewall rule to drop unwanted packets from specific IPs

[icpix]

Trying to ignore some of my more persistently obnoxious unwanted browsers and/or their associated emails. Thought I could effectively do this using the following firewall rule...

Code: [Select]

/sbin/iptables -A INPUT -s 221.226.110.0/24 -j DROP
...but their stuff still appears in the logs. I tried restarting Apache as well...

Code: [Select]

/etc/rc.d/init.d/httpd-e-smith graceful
...just in case the server needed it for things to start biting. However the stuff still sails in;~/

The above is just an example, I have many others whose packets I would really like to just drop out of existence for other reasons. I am perfectly happy with the total bothways obliteration of anything to do with these and other connections. I just don't seem to be able to encode total packet annihilation for anything to do with specific IPs and IP/netmasks.

I should point out that SME server v6.0.1-01's firewall integrity is OK (!?) and that it is just my feeble attempts at firewall rules that isn't working properly!

Obliged if somebody might point out how I might achieve this appropriately;~)

best wishes, Robert

[icpix]

I noticed in some similar threads the use of...

Code: [Select]

service masq restart
...and I also noticed that its use resulted in my (earlier) additions to the rules then disappeared. Perhaps my earlier coding shows up in a listing but is not active until this masq restart... which then loses my additional code (due to templating)? A sort of Catch22.

Sleuthing around I think I've worked out how to set up and apply a suitable template. Looking at the existing stuff I picked an appropriate name (40DenyNaff) and coded...

Code: [Select]

pico /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyNaff

...with some suitable irritants...

Code: [Select]

/sbin/iptables -A INPUT -s 64.240.0.0/14 -j DROP
/sbin/iptables -A INPUT -s 66.194.6.0/24 -j DROP
/sbin/iptables -A INPUT -s 221.226.110.0/24 -j DROP

expanded - restarted masq and Apache - listed...

Code: [Select]

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
service masq restart
/etc/rc.d/init.d/httpd-e-smith graceful
iptables -L -n


Nothing has fallen over yet though perhaps it's too soon to tell...

best wishes, Robert

(own post edit) the restart of Apache does not seem to be necessary

[jackl]

Hi Robert,
Have you tried this contrib:
http://www.muzo.homeip.net/nest/contribs/Rpm/Masq_Manager/

Found it worked great makes it all very easy.

I've noticed that even though packets have been dropped they are still recorded in the logs. Pinging my own server it does not reply but the denylog messages still appear in the message log.

Regards
Jack

[arne]

/sbin/iptables -A INPUT -s 221.226.110.0/24 -j DROP

This apply a rule in the end of the input chain. If the packets is accepted higher up the rule will have no effect.

This place the rule at the top of the input chain where it will have effect:

/sbin/iptables -I INPUT -s 221.226.110.0/24 -j DROP

Don't remember if you can use the ip only as a filtering criteria.  Think I have some small memories that says this might not work. Dont know, but you can try.

Please leave a msg if it waorks !

Arne.

[icpix]

jackl----
No, I haven't tried that contrib. The method I laid out above is quite simple and straightforward for my workflow so haven't seen the need. As for unwanted packets in the logs, of those I have seen none. Actually one of the points of this project was to stop the logs filling up with this sort of repetitive pointless verbiage so that more effort is then concentrated on the stuff that really matters! I am thoroughly delighted with the current results.

arne----
Noted. I haven't yet seen instances of that but am grateful for the observational heads up and its workaround;~)

best wishes, Robert

[arne]

As a general rule it is not a very good idea to modify a firewall without knowing all of it, but on the ather hand a -j drop rule should not be to dangerous and it will be gone when rebooting the machine (If only applied like a shell command).

This rule migt work:

iptables -I INPUT -i eth0 -p tcp --dport 80 -s 221.226.110.0/24 -j DROP

The -I should place it on the top of the INPUT rule stack and drop those packets before any other rules can make effect. Of cource you will have to check with the ifconfig comand if the eto0 cart it the one connected to internet.

Arne.

[arne]

Could be that this short one will work as well:

iptables -I INPUT -s 221.226.110.0/24 -j DROP

Just tried it on a "server only". There is no syntax errors and the rule apply at the top.

If you try more than one rule you will have to reboot between rules or reset the firewall by other means. The rules you are applaying are not replacing each other, but they are building on top of each other like a stack.

Arne

[icpix]

arne----

My templating survives reboot.
My firewall rules are stacking nicely.
My logs are now much quieter and efficient.
Everything is pretty good now on my server gateway;~)

----best wishes, Robert