Blocking incoming IP address immediately

From: Jeff Franks (jfranks1970_at_charter.net)
Date: 11/29/04

• Next message: Tim Haynes: "Re: reverse mapping and ssh"
• Previous message: Ron Croonenberg: "reverse mapping and ssh"
• Next in thread: Tim Haynes: "Re: Blocking incoming IP address immediately"
• Reply: Tim Haynes: "Re: Blocking incoming IP address immediately"
• Reply: repo: "Re: Blocking incoming IP address immediately"
• Reply: Nico Declerck: "Re: Blocking incoming IP address immediately"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 29 Nov 2004 09:32:41 -0600

I have a gaming server and am trying to create an IPTABLES firewall that
will allow me to "ban" an IP. I have been able to do this, but the ban only
takes place if I reboot the firewall pc. I need this to be something that
can take effect immediately. If I have a cheater/abuser in the game, I need
to be able to script something so that I can block all traffic from that
person's IP or IP Range. From what I've dug up, this should be doable with
a simple :

iptables -A INPUT -s 123.45.67.89 -j DROP

I've also seen where the -SYN option should be used and I've played with the
ESTABLISHED and RELATED options. ANY ideas on this will be greatly
appreciated. BTW, the game works fine, all the port forwarding and NAT
works great. I just need the ability to block IP's on the fly. If I can't
get this to work, I'd just as soon go back to the LinkSys I had in place
before :-/

Thanks

jf

Here is my current IPTABLES script. I know its simple, but while trying to
determine how to do this, I've stripped all the fluff out. I'll put it back
once I figure out my problem.

-------------------------------------------------------------
# Purging all existing tables

/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -X

# Enable IP Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Enable NAT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Reject all ping packets
# /sbin/iptables -A INPUT -p icmp -j DROP -i eth1

# *********** Port Forwarding from this point *************

# Port Forwarding For Game
/sbin/iptables -t nat -A PREROUTING -i eth1 -p udp --dport 1234 -j
DNAT --to-des
tination 192.168.1.111
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1234 -j
DNAT --to-des
tination 192.168.1.111

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2345:2349 -j
DNAT --t
o-destination 192.168.1.111

/sbin/iptables -t nat -A PREROUTING -i eth1 -p udp --dport 2345:2349 -j
DNAT --t
o-destination 192.168.1.111

# Forward traffic to Roger Wilco
/sbin/iptables -t nat -A PREROUTING -p udp --dport 3783 -j
DNAT --to-destination
 192.168.0.201

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3783 -j
DNAT --to-destination
 192.168.0.201

---

• Next message: Tim Haynes: "Re: reverse mapping and ssh"
• Previous message: Ron Croonenberg: "reverse mapping and ssh"
• Next in thread: Tim Haynes: "Re: Blocking incoming IP address immediately"
• Reply: Tim Haynes: "Re: Blocking incoming IP address immediately"
• Reply: repo: "Re: Blocking incoming IP address immediately"
• Reply: Nico Declerck: "Re: Blocking incoming IP address immediately"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Forward ftp request another server ... > That's why you have to be smarter than this, using some NAT stuff (DNAT ... > using iptables) or FTP proxy, such as the one included in TIS. ... (Focus-Linux) Re: Port "triggering" ... :PREROUTING ACCEPT ... :POSTROUTING ACCEPT ... DNAT --to-destination 192.168.0.201 ... (comp.os.linux.security) Re: openinng port 80 ... -j DNAT --to 192.168.x.x:80 ... using NAT. ... I'd be interested in seeing your firewall script. ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)