AA Posted July 1, 2003 Report Share Posted July 1, 2003 Ok... silly user me knows nothing about ipchains but then I'm told that if you go on a coarse they spend a whole day on ipchains alone.!! Anyway back to my question. I want to block all traffic to a certain ip address / host. How do I do this.? The man file is helpful in explaining what every option does but it doesnt give examples. IE... if someone can give me an example on how to do this... like #ipchains -XYZ xx.xx.xx.xx [or whatever] Thanx in advance..!! AA Quote Link to comment Share on other sites More sharing options...
Guest anon Posted July 1, 2003 Report Share Posted July 1, 2003 IPChains is a bit dated now. Though it is supported in the 2.4 kernels. Im no expert on security, but most people will sugest using iptables (netfilter) for your firewall stuff, running with say, shorewall, guardog etc. Quote Link to comment Share on other sites More sharing options...
AA Posted July 1, 2003 Author Report Share Posted July 1, 2003 Ok yes I know ipchains is quite outdated, but on older servers that do not have ip tables and shorewall, and that do not have any development packages installed, one kinda has to make do with what you have...!! I should also mention that this is not for a mandrake machine.... It's based on redhat, E-Smith to be exact... but in anycase, it will become a debian server soon and well, debian also comes standard with ipchains, I could probably install another firewall on the debian box too, but why bother when ipchains will suffice, and the server acting as a firewall also performs other functions... I know that this is probably not the best way to keep my network safe, and I know that there are many exploits and vulnerabilities out there that could probably be used againt ipchains, hence iptables.... but hey. As long as the end point is 99% secure, that should do just fine..!! Quote Link to comment Share on other sites More sharing options...
Guest anon Posted July 1, 2003 Report Share Posted July 1, 2003 Umm... How about this?? #!/bin/bash ########################################################################## # IPCHAINS VERSION # This sample configuration is for a single host firewall configuration # with no services supported by the firewall machine itself. ########################################################################## # USER CONFIGURABLE SECTION # The name and location of the ipchains utility. IPCHAINS=ipchains # The path to the ipchains executable. PATH="/sbin" # Our internal network address space and its supporting network device. OURNET="172.29.16.0/24" OURBCAST="172.29.16.255" OURDEV="eth0" # The outside address and the network device that supports it. ANYADDR="0/0" ANYDEV="eth1" # The TCP services we wish to allow to pass - "" empty means all ports # note: space separated TCPIN="smtp www" TCPOUT="smtp www ftp ftp-data irc" # The UDP services we wish to allow to pass - "" empty means all ports # note: space separated UDPIN="domain" UDPOUT="domain" # The ICMP services we wish to allow to pass - "" empty means all types # ref: /usr/include/netinet/ip_icmp.h for type numbers # note: space separated ICMPIN="0 3 11" ICMPOUT="8 3 11" # Logging; uncomment the following line to enable logging of datagrams # that are blocked by the firewall. # LOGGING=1 # END USER CONFIGURABLE SECTION ########################################################################## # Flush the Input table rules $IPCHAINS -F input # We want to DENY incoming access by default. $IPCHAINS -P input DENY # SPOOFING # We should not ACCEPT any datagrams with a source address matching ours # from the outside, so we DENY them. $IPCHAINS -A input -s $OURNET -i $ANYDEV -j DENY # SMURF # Disallow ICMP to our broadcast address to prevent "Smurf" style attack. $IPCHAINS -A input -p icmp -i $ANYDEV -d $OURBCAST -j DENY # We should ACCEPT fragments, in ipchains we must do this explicitly. $IPCHAINS -A input -f -j ACCEPT for i in $TCPIN do # TCP # We will ACCEPT all TCP datagrams belonging to an existing connection # (i.e. having the ACK bit set) for the TCP ports we're allowing through. # This should catch more than 95 % of all valid TCP packets. $IPCHAINS -A input -p tcp -d $OURNET $i ! -y -b -j ACCEPT # TCP - INCOMING CONNECTIONS # We will ACCEPT connection requests from the outside only on the # allowed TCP ports. $IPCHAINS -A input -p tcp -i $ANYDEV -d $OURNET $i -y -j ACCEPT done # TCP - OUTGOING CONNECTIONS # We ACCEPT all outgoing TCP connection requests on allowed TCP ports. for i in $TCPOUT do $IPCHAINS -A input -p tcp -i $OURDEV -d $ANYADDR $i -y -j ACCEPT done # UDP - INCOMING # We will allow UDP datagrams in on the allowed ports. for i in $UDPIN do $IPCHAINS -A input -p udp -i $ANYDEV -d $OURNET $i -j ACCEPT done # UDP - OUTGOING # We will allow UDP datagrams out on the allowed ports. for i in $UDPOUT do $IPCHAINS -A input -p udp -i $OURDEV -d $ANYADDR $i -j ACCEPT done # ICMP - INCOMING # We will allow ICMP datagrams in of the allowed types. for i in $ICMPIN do $IPCHAINS -A input -p icmp -i $ANYDEV -d $OURNET $i -j ACCEPT done # ICMP - OUTGOING # We will allow ICMP datagrams out of the allowed types. for i in $ICMPOUT do $IPCHAINS -A input -p icmp -i $OURDEV -d $ANYADDR $i -j ACCEPT done # DEFAULT and LOGGING # All remaining datagrams fall through to the default # rule and are dropped. They will be logged if you've # configured the LOGGING variable above. # if [ "$LOGGING" ] then # Log barred TCP $IPCHAINS -A input -p tcp -l -j REJECT # Log barred UDP $IPCHAINS -A input -p udp -l -j REJECT # Log barred ICMP $IPCHAINS -A input -p icmp -l -j REJECT fi # # end. Or this one?? http://www.linux.se/doc/nag2/x-087-2-firewall.example.html Quote Link to comment Share on other sites More sharing options...
AA Posted July 1, 2003 Author Report Share Posted July 1, 2003 ########################################################################## # IPCHAINS VERSION # This sample configuration is for a single host firewall configuration # with no services supported by the firewall machine itself. ########################################################################## You see, this machine is running other services... Let me be more exect... I want the command i should give to block all traffic to 1 ip address, because I am getting a lot of spyware and possible browser hijack attempts from that ip.!!! Quote Link to comment Share on other sites More sharing options...
Guest anon Posted July 1, 2003 Report Share Posted July 1, 2003 http://www.google.com/search?hl=en&lr=&ie=...G=Google+Search Quote Link to comment Share on other sites More sharing options...
AA Posted July 2, 2003 Author Report Share Posted July 2, 2003 Someone in IRC told me what to do. Thanx anyway..!! Quote Link to comment Share on other sites More sharing options...
aru Posted July 2, 2003 Report Share Posted July 2, 2003 Someone in IRC told me what to do. Thanx anyway..!! ... maybe if you have some time you can post here the answer to your question so in the future some others might benefit from it. Quote Link to comment Share on other sites More sharing options...
AA Posted July 2, 2003 Author Report Share Posted July 2, 2003 I guess I could do that...!!! /sbin/ipchains -A input "-i ppp0" -s <IP TO DENY FROM> -p all -j DENY -l leave out the -i ppp0 if u want it on all interfaces Quote Link to comment Share on other sites More sharing options...
Gowator Posted July 2, 2003 Report Share Posted July 2, 2003 Thanks AA, as it happens Ill be installing e-smith tonite Its on a P100 so we'll see how it performs. Quote Link to comment Share on other sites More sharing options...
AA Posted July 2, 2003 Author Report Share Posted July 2, 2003 As it happens I'll be removing e-smith tonight....!!! Do yourself a favour and don't install it... It's a load of cryte....!! Quote Link to comment Share on other sites More sharing options...
Gowator Posted July 2, 2003 Report Share Posted July 2, 2003 Well, Ill give it a 'limited' trial It was recommended by a friend. Really all I need is a zero maintainance router and fw that will run on a P100. If you have any specifics to help me make up my mind though please post em... Quote Link to comment Share on other sites More sharing options...
AA Posted July 2, 2003 Author Report Share Posted July 2, 2003 Well you can't just do something you always have to edit scripts which generate files... it doesnt have any compilers, half the needed libraries for basic apps arent there... If you want a free GOOD high quality server that's lean.... DEBIAN..!!! It's beautiful...!! saw quite a couple of debian firewall howtos this morning...!! Quote Link to comment Share on other sites More sharing options...
Gowator Posted July 2, 2003 Report Share Posted July 2, 2003 i read a lot of the comments on CNET download. People either love it or hate it. I think its to do with expectations... I don't wanna run any apps just a few daemons like http and basically use it as a firewall, no monitor/keyboard/screen. Possibly using the webmail part. Thats all I really want it to do. I read lots of negaitve comments ranging from it not having any games to it wasn't Microsoft so must be crap but non of them seemed relevant to what I expected it to do. Quote Link to comment Share on other sites More sharing options...
AA Posted July 2, 2003 Author Report Share Posted July 2, 2003 As a firewall it is very outdated.... still uses ipchains...!!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.