FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-25-2011, 04:03 PM
Alexander Farber
 
Default Blocking an IP address both as source and destination

Hello,

how do you block incoming AND outgoing traffic to a site?

I have 2 drop lines for a site in my /etc/sysconfig/iptables:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [294:35064]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s xx.xx.xx.0/24 -j DROP
-A INPUT -d xx.xx.xx.0/24 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports
80,8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT
COMMIT

but for some reason still can "ping xx.xx.xx.1" and
"ssh xx.xx.xx.1" prints
"ssh: connect to host xx.xx.xx.1 port 22: Connection refused"
immediately, which probably means my packets aren't dropped at all.

Using CentOS 5.6/64 bit

Thank you
Alex
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-25-2011, 04:18 PM
Stephen Harris
 
Default Blocking an IP address both as source and destination

On Mon, Apr 25, 2011 at 06:03:29PM +0200, Alexander Farber wrote:
> Hello,
>
> how do you block incoming AND outgoing traffic to a site?
>
> I have 2 drop lines for a site in my /etc/sysconfig/iptables:
>
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [294:35064]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -s xx.xx.xx.0/24 -j DROP
> -A INPUT -d xx.xx.xx.0/24 -j DROP
> -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports
> 80,8080 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags
> FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT
> COMMIT
>
> but for some reason still can "ping xx.xx.xx.1" and
> "ssh xx.xx.xx.1" prints
> "ssh: connect to host xx.xx.xx.1 port 22: Connection refused"
> immediately, which probably means my packets aren't dropped at all.

To block outgoing traffic (traffic originating on this host destined
for another machone) you need to add rules to the OUTPUT filter.

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 10:06 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org