Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: arcano on October 28, 2006, 02:43:13 AM

Title: Persistent bad user - Using IPTABLES
Post by: arcano on October 28, 2006, 02:43:13 AM

Problem:

Theres is a guy within the regular net users that likes to connect his personal laptop, which is not allow. Internet access is reguled by squidguard. But this computer has a kind of proxy dialing (i guess AOL) and always get access.

Solution:

Blocking him with iptables.
but:
first, dont know how to setprop the template rule
so i tried to write down the rule into /etc/rc.d/init.d/masq.
 

Code: [Select]

/sbin/iptables --append OUTPUT -s 192.168.8.251   -j DROP
/sbin/iptables --append INPUT -s 192.168.8.251   -j DROP
/sbin/iptables --append FORWARD -d 192.168.8.251 -j DROP


so when i check it with #iptables -L -n
it shows

Chain local_chk_2073 (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.168.8.0/24       0.0.0.0/0
DROP       all  --  192.168.8.251        0.0.0.0/0

Chain INPUT (policy DROP)
target     prot opt source               destination
state_chk  all  --  0.0.0.0/0            0.0.0.0/0
local_chk  all  --  0.0.0.0/0            0.0.0.0/0
PPPconn    all  --  0.0.0.0/0            0.0.0.0/0
denylog    all  --  224.0.0.0/4          0.0.0.0/0
denylog    all  --  0.0.0.0/0            224.0.0.0/4
DROP       all  --  0.0.0.0/0            208.101.33.100
DROP       all  --  192.168.8.251        0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PPPconn    all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            208.101.33.100
DROP       all  --  192.168.8.251        0.0.0.0/0
denylog    all  --  224.0.0.0/4          0.0.0.0/0
denylog    all  --  0.0.0.0/0            224.0.0.0/4
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

But the computer still geting outside conection
either blocking 208.101.33.100 from the out side, but it still reaching the address from inside.

Help:

 I have all ready checkout documentation, but it only says  "creating pinholes for your application."

I want him without any network service.!

 Any advice on what to do?
 
 which could be the correct CONFIG SETPROP sentence?
 
 Where to learn about?
 
 Thank's for read! :evil:

Title: Persistent bad user - Using IPTABLES
Post by: mmccarn on November 11, 2006, 10:51:10 PM

If you --append a DROP rule it may never be reached -- especially if there is an earlier ACCEPT rule.

If the ruleset already allows indiscriminate outbound browsing, the "appended" DROP rule will never kick in.

You might try the same thing with --insert.

Title: Thanx mmccarn
Post by: arcano on November 16, 2006, 04:07:46 PM

just for know, this could be ok if i change the default policy on the INPUT chain to DROP?

Title: ajem
Post by: arcano on November 16, 2006, 04:10:02 PM

i mean both policys (OUTPUT and INPUT) an then just choosin who goe
s out an who stay inside.

Title: Persistent bad user - Using IPTABLES
Post by: mmccarn on November 16, 2006, 04:14:33 PM

I don't know much about iptables...

I'd recommend that you try it -- manually.  That is, run the 'iptables' command manually, don't add it to /etc/init.d/masq, and don't create a template.  Then, if you create a rule that locks you out of your server at least a reboot will get you working again...

If a reboot doesn't fix it, you could at least login to the console on the server's local keyboard & mouse and run 'signal-event remoteaccess-update' to reset the rules to the SME configured versions.