Topic: Deny access

[Stefano]

try and test, we can't tell you which is the best way

[smnirosh]

Note that AllowHosts/DenyHosts are only effective for external IP, not for clients from the LAN

important to me. bcos i want to deny a clinet who is in the Lan. but not joined to the domain. (The client gets the ip from DHCP server.) thanks

[smnirosh]

I will try this with iptable. if any problem, will contact you

[Stefano]

IMO you're using a wrong approach
Anyway, if you decide for the iptables way, please be aware you must use the templates/fragments way

[smnirosh]

My godness. I don't know how to use templates/fragments way.

[Stefano]

well, the wiki is there.. and if you search here you'll find a zillions of examples

[Daniel B.]

Fail2ban can be used to ban hosts manually, and it should work for lan clients too. Install the contrib as detailed in the wiki, then create your rules:

Code: [Select]

db fail2ban set bad_client_1 ban Host 192.168.18.12 UnbanTimestamp 9999999999
signal-event fail2ban-update

The UnbanTimestamp is just a ridiculously high value so the rule will never be deleted. You can also specify Port and Protocol if you only want to deny a single service, eg:

Code: [Select]

db fail2ban set bad_client_1 ban Host 192.168.18.12 UnbanTimestamp 9999999999 Port 8089 Protocol tcp
signal-event fail2ban-update


[Stefano]

https://wiki.contribs.org/Template_Tutorial
https://wiki.contribs.org/Firewall#Custom_templates

[Stefano]

well, Dani's suggestion is really easy and powerfull

chapeau

[Stefano]

please read here:
https://wiki.contribs.org/Fail2ban#DB_command

[janet]

ok stefano it seems helpful. But for me, can i go for a "Deny" term instead of Allow? like iptables ?

Here is the FAQ (there is a link at top of forums)
https://wiki.contribs.org/SME_Server:Documentation:FAQ

Within the FAQ is this section on Firewall
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05

Plesae read all of this, some of it may apply to your situation.

Especially see
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05#Block_outgoing_IPs_or_mac_addresses
&
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05#Block_outgoing_ports

If you want to do something else, then you will need to create your own iptables rules, using custom templates.
Anything is (usually) possible in Linux, you just have to learn how to do it (which typically means reading & learning).


....and make sure you read this
https://forums.contribs.org/index.php/topic,46036.0/all.html

[smnirosh]

Dear all,

as explained in the janet's comment, i renamed 40DenyRiffRaff with 20DenyRiffRaff. It works.
If anybody helps me, could i know what is this 40;20;10 meaning?

thanks very much again

[janet]

smnirosh

It defines the order in which the template fragments are processed
eg you should not turn something off after previously turning it on, so you move the turn on commands after the turn off comnands have happened by changing the fragment numerical name.
See
https://wiki.contribs.org/Template_Tutorial

Also see the Developers Manual re templates, link in documentation section on main contribs.org Wiki page, link to Wiki at top of Forums.

[smnirosh]

Thanks very much janet. I will refer these links to get more infor.