Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Chris on January 22, 2003, 06:09:23 PM
-
How do I modify e-smith 5.5 to block ports on a range of IP's?
Ex. 192.168.168.50 ----> 192.168.168.100 block port 80 internaly.
-
Could you clarify a bit? You want the IPs from 192.168.168.50 through 192.168.168.100 to not be able to access any port 80?
-
That's correct. I do not want users on the lan to have browser access but I want them to be able to send and receive e-mail.
-
Jump to console, create a new file called "iplistdeny"
Paste (EXACTLY AS IT APPEARS, SPACING IS IMPORTANT!):
#!/bin/sh
#Nathan Fowler
#Jan 22, 2003
#Modify these values to suit your needs.
#ServerIP is the IP address of the local server
Port="80"
Proto="tcp"
serverIP="192.168.168.1"
prefixIP="192.168.168."
startIP=50
endIP=100
outfile="iplist.txt"
#Do not modify beyond this line unless you know what you're doing.
for ((curIP=startIP ; curIP <= endIP ; ++curIP))
do
IP="$prefixIP$curIP"
ChainRule="/sbin/ipchains -A input -p $Proto --dport $Port --source $IP -d ! $serverIP -j DENY"
echo "$ChainRule" >> $outfile
done
exit 0
#EOF
Next, chmod +x iplistdeny from console
./iplistdeny
It should create your IP Chain list, if you want to add it to /etc/rc.d/rc.local you can simply:
cat iplist.txt >> /etc/rc.d/rc.local
Or you could paste it manually, or chmod +x iplist.txt and execute it. Either way, it's up to you.
The file will create a list of ipchain commands to deny the specified port for the specified IP range (uses only the fourth octet). It will deny the listed IP addresses access to $Port using $Proto EXCEPT when it is talking directly to $serverIP
Hope this helped,
Nathan