On Sat, Jan 04, 2003 at 10:53:16AM -0800, Bob Sully wrote:
> Here's the excerpt from my script:
>
> # Refuse any connections to/from problem sites.
[snip]
>
> if [ -f /etc/firewall/firewall.banned ]; then
> while read BANNED; do
> iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BANNED -j DROP
> iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BANNED -j DROP
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BANNED -j DROP
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BANNED -j DROP
> done < /etc/firewall/firewall.banned
> fi
Given it reads the entire file each time, wouldn't you want to put
some sort of flush in there first? Of course that's going to get rid of
all rules. Just if you run this every time you're going to end up with
some entries in a lot of times.
How about having the actual INPUT/OUTPUT chains jump to a userdefined
one at the end and you put these rules in that user-defined chain? That
way you can flush *that* entire chain each time before adding the
current bans.
Of course if you use a decent FTPd it's easy to ban by IP anyway, i.e.
proftpd:
<Directory *>
<Limit ALL>
Deny from 62.80.132.
Deny from .CXXXII.adsl.multi.fi
</Limit>
</Directory>
-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00243.pgp
Description: PGP signature
