Hi, >>> This looks to me like tcp on dport 22 is allowed and there I would think >>> that the minimal change would be to insert a rule before this which says >>> "anything from offending_ip via tcp should be rejected". >>> >>> I'm still trying to get comfortable with iptables and, even though there >>> is alot of stuff out there, I'm still working to get the necessary >>> critical mass of understanding so it all falls into place. This thread >>> looked like a good chance to see if I'm closer to understanding. >> Yes, that's a good approach too. If you are editing the existing >> iptables config script from /etc/sysconfig/iptables, then that's >> exactly what you would do. Something like this should work: >> >> # Firewall configuration written by system-config-firewall >> # Manual customization of this file is not recommended. >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> -A INPUT -p icmp -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j DROP -s >> <offending_ip/range> >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT >> >> the "<offending_ip/range>" might be something like 1.2.3.0/24 to block >> the entire 256 addresses on that network. >> >> HTH, >> Alex > > Alex: > > Thanks ... it does help to get a confirm that my understanding your > example is at least in the general right direction. > > Just to check to make sure I got the last bit of info right ... > > In your particular example of what appears to be China Telecom, are you > assuming that they are using the ip 1.2.3.0/24 and that translates to > 1.2.3.[0-255]? Yes, that's correct. Search for CIDR notation. > I have a LAN which assumes router connecting to outside world is > 192.168.1.1 and my network is 192.168.2.* (wireless only engaged when > necessary for both 192.168.1.1 and one Linksys at 192.168.2.2). To me, > this means that I "only have one IP address on that host" per your > email. If I am correct, I don't need to worry about a generalized > 192.168.2.0/24 rule on each machine to prevent something I don't know about. Yes, that's correct, but I was really referring to the destination -- if you wanted to block more than one host at a time, such as for an entire ISP in China, for example. So from my original log entry example of 222.186.24.108, you might do: # iptables -j DROP -I INPUT -s 222.186.24.0/24 This would block all access from that host to your network. > The addition of 25, 80, and 443 ports are your suggestions for what to > allow as opposed to manditories (everything is working nicely on my > system with the default and the only other port access I need to do is > in sendmail.mc). I wasn't sure if that was from the original rulebase or if it was something I added :-) The default is to allow everything, but there is a ICMP reject rule at the bottom of the rulebase that rejects everything else for which there is no rule such as those for port 25 and 80. Best, Alex -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
