On Tuesday 29 June 2004 2:49 pm, Richard Gutery wrote:
> Stop macro:
> $IPT -N LD
> $IPT -A LD -j LOG
> $IPT -A LD -j DROP
That has me really confused. I was expecting you to say that $STOP expanded
to the word DROP, or some other valid target for the -j option on the
netfilter command line.
> $STOP=LD (LD = Log and Drop)
I don;t quite see how you can use this after -j on an iptables rule,
however...
> $IPT = /sbin/iptables
>
> I need to totally block all packets to and from this address 64.246.26.185.
> So BLOCK means BLOCK.
>
> We OpenBSD users usually mean blocking as dropping the silly thing on the
> floor. No ifs, ands or buts. Just gone...
Oh, I understood what you meant by "block" - I wasn't sure which packets you
wanted to block, though, since it wasn't clear whether we were talking about
source or destination addresses, and forwarding through the firewall or going
to/from it directly.
> As for the limiting, I simply copied a rule that was already in a
> firestarter script. So if I need to change the rule, I would be more than
> willing. Am I to assume that this is a bad rule?
Well, it certainly won't BLOCK (using your definition above) - it will rate
limit - which means that some packets will still come through.
I suggest the following:
iptables -I INPUT -s 64.246.26.185 -j DROP
iptables -I OUTPUT -d 64.246.26.185 -j DROP
iptables -I FORWARD -s 64.246.26.185 -j DROP
iptables -I FORWARD -d 64.246.26.185 -j DROP
Regards,
Antony.
--
In Heaven, the police are British, the chefs are Italian, the beer is Belgian,
the mechanics are German, the lovers are French, the entertainment is
American, and everything is organised by the Swiss.
In Hell, the police are German, the chefs are British, the beer is American,
the mechanics are French, the lovers are Swiss, the entertainment is Belgian,
and everything is organised by the Italians.
Please reply to the list;
please don't CC me.
