SuSEfirewall2 v2.1 iptables v1.2.5 Linux-Kernel 2.4.18 (5) ------------------------- Hi I´m looking for a way to block certain IP Addresses from all ports on my computer. I tried this at the console: iptables -A FORWARD -p tcp -s 192.168.100.1 -d 0.0.0.0/0.0.0.0 --dport 80 -j DROP but i can still connect from 192.168.100.1 to port 80 with telnet. Do I have to activate this rule first? or does it have to fit into firewall2-custom.rc.config, then restart firewall? Regards, Mike
Hi Mike, first of all it's not FORWARD, but INPUT, because you're trying to block incoming connections, not FORWARDED ones. Then you'll have to check if you don't have another rule that is executed before the one you've added. Best regards, Ralf Ronneburger Mike Otto wrote:
SuSEfirewall2 v2.1 iptables v1.2.5 Linux-Kernel 2.4.18 (5) -------------------------
Hi I´m looking for a way to block certain IP Addresses from all ports on my computer. I tried this at the console:
iptables -A FORWARD -p tcp -s 192.168.100.1 -d 0.0.0.0/0.0.0.0 --dport 80 -j DROP
but i can still connect from 192.168.100.1 to port 80 with telnet. Do I have to activate this rule first? or does it have to fit into firewall2-custom.rc.config, then restart firewall?
Regards, Mike
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At Saturday 04 May 2002 14:56 Ralf Ronneburger wrote:
first of all it's not FORWARD, but INPUT, because you're trying to block incoming connections, not FORWARDED ones. Then you'll have to check if you don't have another rule that is executed before the one you've added.
Mike Otto wrote:
Hi I´m looking for a way to block certain IP Addresses from all ports on my computer. I tried this at the console:
iptables -A FORWARD -p tcp -s 192.168.100.1 -d 0.0.0.0/0.0.0.0 --dport 80 -j DROP
And secondly your rule is only blocking port 80 (HTTP), right?
Greetings
Michael
- --
Michael Zimmermann (Vegaa Safety and Security for Internet Services)
Hi Ralf and Michael, thanks for helping! Ralf Ronneburger wrote:
first of all it's not FORWARD, but INPUT, because you're trying to block incoming connections, not FORWARDED ones.
yepp! my mistake! Michael Zimmerman wrote:
And secondly your rule is only blocking port 80 (HTTP), right?
right! Ralf Ronneburger wrote:
Then you'll have to check if you don't have another rule that is executed before the one you've >added.
I guess this is my problem, since the firewall script has already been executed. What I found out is that this rule works pretty well for my purposes: iptables -R INPUT 1 -p TCP -s 192.109.xxx.xxx -j DROP But this way. I am sure that I overwrite another important rule. Now I need something that lists all INPUT rules by number on the screen. Well, I found a nice tutorial out there http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.htm... and promise to read it before I ask the next question ;-) Best Regards, Mike
On Sat, 04 May 2002, Mike Otto wrote:
But this way. I am sure that I overwrite another important rule. Now I need something that lists all INPUT rules by number on the screen
Is /usr/sbin/iptables -L -nv what you need ? dproc
But this way. I am sure that I overwrite another important rule. Now I need something that lists all INPUT rules by number on the screen
Is /usr/sbin/iptables -L -nv
what you need ?
;-) Someone who explains to me why I cant just append rule 3,4,5,6 at the end of the INPUT rules (APPEND) instead I have to INSERT them? Is it because of rule 23 which cannot be overwritten? Would make sense to me. Then I better insert right bevore line 23, right? Regards, Mike Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpts:137:138 3 DROP all -- xxx.xxx.xxx.0/24 0.0.0.0/0 4 DROP all -- xxx.xxx.xxx.0/24 0.0.0.0/0 5 DROP all -- xxx.xxx.xxx.0/24 0.0.0.0/0 6 DROP all -- xxx.xxx.xxx.0/24 0.0.0.0/0 8 LOG all -- 127.0.0.0/8 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING ' 9 LOG all -- 0.0.0.0/0 127.0.0.0/8 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING ' 10 DROP all -- 127.0.0.0/8 0.0.0.0/0 11 DROP all -- 0.0.0.0/0 127.0.0.0/8 12 LOG all -- 192.168.10.11 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING ' 13 DROP all -- 192.168.10.11 0.0.0.0/0 14 LOG all -- xxx.xxx.xxx.xxx 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING ' 15 DROP all -- xxx.xxx.xxx.xxx 0.0.0.0/0 16 input_ext all -- 0.0.0.0/0 xxx.xxx.xxx.xxx 17 input_int all -- 0.0.0.0/0 192.168.10.11 18 DROP all -- 0.0.0.0/0 192.168.10.255 19 DROP all -- 0.0.0.0/0 255.255.255.255 20 LOG all -- 0.0.0.0/0 xxx.xxx.xxx.xxx LOG flags 6 level 4 prefix `SuSE-FW-NO_ACCESS_INT->FWEXT ' 21 DROP all -- 0.0.0.0/0 xxx.xxx.xxx.xxx 22 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-UNALLOWED-TARGET ' 23 DROP all -- 0.0.0.0/0 0.0.0.0/0 24 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with tcp-reset
Mike Otto wrote:
Someone who explains to me why I cant just append rule 3,4,5,6 at the end of the INPUT rules (APPEND) instead I have to INSERT them? Is it because of rule 23 which cannot be overwritten? Would make sense to me. Then I better insert right bevore line 23, right?
First match hits - rule 23 DROPs everything. Any rule after 23 is useless. And take a look at man iptables to find out why you can't overwrite rule 23! (Hint: 42.) GTi
participants (5)
-
dproc@dol.net
-
Martin Peikert
-
Michael Zimmermann
-
Mike Otto
-
Ralf Ronneburger