This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking hosts

I havent been able to block ip's from contacting my server, anyone have an idea?

I defined the ip i want to block

i've tried packet filter

block_ip any any drop

i also tried deny and made no difference

the only packetfilter rule i currently have is
private networks - RFC1918 any any allow for masquerading

I have tried

iptables -A AUTO_INPUT -s 123.456.789.321 -j DROP
and
iptables -A INPUT 123.456.789.321 -j DROP

with no success

all i need is to know where to add a rule to block a host from all contack preferably a command line response because that is how i want to add this rule from a seaperate program

thanks

[ 16 January 2002: Message edited by: Boltz ]

This thread was automatically locked due to age.

Parents

0 squeeze over 23 years ago

when you activate your rule this host can't access clients behind your firewall, right?

when you just want to send no ping anwers, disable icmp on firewall (Packetfilter->ICMP)
Cancel
Vote Up 0 Vote Down

Cancel
0 Boltz over 23 years ago in reply to squeeze

no not really i want to block a host from the external interface IP

stopping that ip from contacting my firewall at all

i want to do this manually and none of the manual iptables commands i put work

i would like someone to show an example of how to block an ip from contacting the external firewall
in either the GUI or the manual ipchains command line or both
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Boltz over 23 years ago in reply to squeeze

no not really i want to block a host from the external interface IP

stopping that ip from contacting my firewall at all

i want to do this manually and none of the manual iptables commands i put work

i would like someone to show an example of how to block an ip from contacting the external firewall
in either the GUI or the manual ipchains command line or both
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 squeeze over 23 years ago in reply to Boltz

- disable ICMP
- add rule: -> Any -> -> drop
Cancel
Vote Up 0 Vote Down

Cancel
0 Boltz over 23 years ago in reply to squeeze

I just gave that a shot and no go.

If i was to do this on any linux box with iptables to block a host is as simple as

iptables -A INPUT -s 123.456.789.321 -j DROP

where do i add a similar line to in astaro and why might I not be able to block

i have astaro 2.something

everything is as it was fresh install except a masquerading rule a few definitions and a packet filter rule to allow masquerading
Cancel
Vote Up 0 Vote Down

Cancel
0 Boltz over 23 years ago in reply to Boltz

Anyone?

please help?
Cancel
Vote Up 0 Vote Down

Cancel
0 lanman over 23 years ago in reply to Boltz

You will need to add a definition for the eth1 IF of ASL such as
Ext 12.x.x.1 255.255.255.255

And a definition for the host you want to block
Blocked-IP 168.x.x.38 255.255.255.255

and then create a rule
Blocked-IP ANY Ext Drop

Make sure the rule is at the top of the list as any rule that will allow this host will be evaluated first and allow the traffic.

[ 25 January 2002: Message edited by: lanman ]
Cancel
Vote Up 0 Vote Down

Cancel
0 lanman over 23 years ago in reply to lanman

[ 25 January 2002: Message edited by: lanman ]
Cancel
Vote Up 0 Vote Down

Cancel
0 Boltz over 23 years ago in reply to lanman

hmm thanks Ill give it a shot
Cancel
Vote Up 0 Vote Down

Cancel
0 Boltz over 23 years ago in reply to Boltz

I did just as you said and it didnt work

first rule in filter and it didnt work
Cancel
Vote Up 0 Vote Down

Cancel
0 lanman over 23 years ago in reply to Boltz

Can the client you are trying to block still ping. they should be able to ping unless you you turn of ICMP.

Can this client still access internal servers on you LAN or DMZ.
Cancel
Vote Up 0 Vote Down

Cancel
0 Boltz over 23 years ago in reply to lanman

I will try again and do a port scan on the firewall from the host i want to block as a test

but i am sure that it still will find open ports and still make contact

see i have tested blocking my webserver and i can still access the webserver. I also can ping and portscan the astaro server from the blocked host
Cancel
Vote Up 0 Vote Down

Cancel
0 danielrm26 over 23 years ago in reply to Boltz

[ 08 February 2002: Message edited by: danielrm26 ]
Cancel
Vote Up 0 Vote Down

Cancel