hi all,
how can i block an IP address with IP tables?
I like to block an IP addres the way the user cannot access any of the servers service (http, ftp etc)
For IP's can i use * (for e.g 111.111.111.*)


Thanks a lot

You should consult man iptables

But here are some examples.

to block the ip from accessing anything on your server:
iptables -i INPUT -s 111.111.111 -j REJECT

specific to service:

SSH:

iptables -A INPUT -p TCP -s 111.111.111 -destination-port 22 -j REJECT


FTP:

iptables -A INPUT -p TCP -s 111.111.111 -destination-port 20:21 -j REJECT

-leon

hmm the first command does not work:

iptables -i INPUT -s 111.111.111.* -j REJECT
iptables v1.2.8: no command specified
Try `iptables -h' or 'iptables --help' for more information.

you cant use wilcards in firewall chains. adding '*.' will not work

if you are to block a range of IP's you will have to black it by CIDR subnet (e.g 111.111.111.111/32)

iptables -I INPUT -s 111.111.111.0/24 -j DROP

I don't think "i" is a valid parameter for iptables. If you want to insert a rule, it's "I".

ok this seems to work.. thanks

BTW this is also important..: how to reverse ?

Thanks

Here's a script I wrote:

Create a directory called /etc/blockip

In the directory you can put any number of test files that contain lists of IP addresses to block. When you run this script - which I run on bootup - it blocks lists of troublemakers.

It also allows you to add comments to the block file starting lines with #.

--------------------------

echo
echo "# Block all connections from these IP addresses"
echo

for blacklist in /etc/blockip/* ; do
echo ""
echo "Blocking IP addresses in list $blacklist"
echo ""
for ipaddress in $( grep -v ^# $blacklist | awk '{print $1}' ); do
iptables -v -A INPUT -s $ipaddress -j DROP
done
done

Originally posted by WWWhost
ok this seems to work.. thanks

BTW this is also important..: how to reverse ?

Thanks

iptables -I INPUT -s 111.111.111.0/24 -j ACCEPT

No "oops, thanks"? :)

iptables -A -s 0.0.0.0 -j DROP is what I use

ok thanks to all
:)

I have some quick questions regarding this post. How do I view which IP I have blocked? Also what is ipchains? Is it the same as iptables? I'm a little confused. Sorry for the newbie questions.

Clickelement, I'd recommend visiting google and searching for information. The web site for iptables (the admin tool for netfilter) is prob at netfilter.org. I'm sure you can find a good site for ipchains. If you have any specific questions after reading, feel free to post them (in a new theread).

Yeah I did some searching and did go through some of the results. However I was just a bit confused so I'd thought I'd ask the specific questions I here.

They're pretty straight forward actually. I just wanted to know the specific command syntax for iptables to view the IPs that have already been blocked.

I also wanted to know what the fundamental difference is between iptables and ipchains.

Since I'm on the topic I also want to know how to pause the out put of such a command:

netstat -anp | sort -u

It's spits out an long list of info but I am unable to scroll up in my telnet window after it's done listing.

If anyone can help answer these questions, I will greatly appreciate it. :)

netstat -anp | sort -u | more

ipchains is an older form of iptables so to speak

Wow I can finally pause that output on netstat, thanks DigiCrime! That was quite helpful, as searching for such a newbie question anywhere was fruitless. :P

I guess I will stick with using iptables instead of fooling around with ipchains. Thanks again.

careful with the program, if you block yourself, your s.o.l. youll have to have the noc unblock ya

I will be very careful with the IPs that are being blocked. :) BTW, do you know how to show which IPs are already being blocked?

Also when determining which IPs to block, what are some of the criteria that is most common? For me, if I see too many connections, I just block them. Right now I don't really know the difference between SYN_SENT and SYN_RECV.

to view what your blocking type

iptables -v -L


when testing firewall scripts I always run this in crontab -e

*/10 * * * * /usr/sbin/iptables -F >> /dev/null 2>&1

It will flush all rules every 5 minutes, giving you 10minutes to test it, and if you've locked yourself out.. you have time to go make a coffee and ponder what went wrong :D just delete it when your done.

Hey Razzfu thanks, I now can see who I am blocking! That crontab is a really great idea too. As a newbie I better set that up quick haha.

When I did that command that you gave me, one of my entries shows this:

0 0 DROP all -- any any Toronto-HSE ppp3893595.sympatico.ca anywhere

Does this means that anyone on Toronto's Sympatico service is being blocked? I only remember blocking 1 IP from sympatico, not the whole ISP... :eek:

It is likely that the "ppp3893595" identifies the specific IP address you blocked, not the entire ISP... ping that hostname to find which IP it is blocking... I beleive there is an argument that you can pass along to iptables to make it show only the IP and not the hostname

razzfu--- when i do the command to list the IP's i already block i recive the following output:
-----------
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
---------

there is no information about Ip's i blocket (or perhaps i didn't block anything..? i use this to connamd to block ips: iptables -I INPUT -s 111.111.111.0/24 -j DROP)


:rolleyes:

You're right MaB, it's only 1 IP not the whole network. WWHost, that's weird how you get something else when you put that command in.

For people experiencing a SYN attack I found that this could help:

1) pico -w /etc/sysctl.conf

2) Add these lines to the file:

# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

3) Exit and save.

4) /sbin/sysctl -p

It's been 3 sleepless night until I found this. I hope the solution is permanent. Thanks to rfxn at the ev1 forums for this bit of useful info.