mysqlstudent at gmail.com
Wed Nov 2 00:42:33 UTC 2011
> Thanks. If you bear with a couple "hopefully-not-too-naive" questions ...
> I seems to me that you are saying the actions you wish to stop are from
> "s <offending_ip>" using "-p tcp" ... why the need to specify the
> destination of "-d <my_ip>" (since if this iptables rule is called, it
> must have reached me regardless of my_ip) and "--dport 80" (would there
> be any destination port that I would allow such action from this
> offending_ip to occur on?).
Yes, that's correct. You don't need to include the destination if you
only have one IP address on that host.
> I am seeing in the default F14 iptables:
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> This looks to me like tcp on dport 22 is allowed and there I would think
> that the minimal change would be to insert a rule before this which says
> "anything from offending_ip via tcp should be rejected".
> I'm still trying to get comfortable with iptables and, even though there
> is alot of stuff out there, I'm still working to get the necessary
> critical mass of understanding so it all falls into place. This thread
> looked like a good chance to see if I'm closer to understanding.
Yes, that's a good approach too. If you are editing the existing
iptables config script from /etc/sysconfig/iptables, then that's
exactly what you would do. Something like this should work:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j DROP -s
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
the "<offending_ip/range>" might be something like 126.96.36.199/24 to block
the entire 256 addresses on that network.
More information about the users