Re: Blocking incoming IP address immediately

From: Jeff Franks (jfranks1970_at_charter.net)
Date: 11/29/04

• Next message: Jeff Franks: "Re: Blocking incoming IP address immediately"
• Previous message: Ron Croonenberg: "Re: reverse mapping and ssh"
• In reply to: Tim Haynes: "Re: Blocking incoming IP address immediately"
• Next in thread: Bill Unruh: "Re: Blocking incoming IP address immediately"
• Reply: Bill Unruh: "Re: Blocking incoming IP address immediately"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 29 Nov 2004 11:08:21 -0600

Wow, thanks for the info. I'll give all this a try asap. I like the
"abusers" chain idea. Still, the problem is that when I run the command
listed, it doesn't immediately take effect. I had this exact same issue a
few months back, but it was on RedHat 7 and an olllld version of IPTABLEs.
This one is on RH 9 and the newest IPTABLES rpm. grrrrrr.

Thanks again,

jeff
"Tim Haynes" <usenet-20041129@stirfried.vegetable.org.uk> wrote in message
news:86y8gkr6mc.fsf@potato.vegetable.org.uk...
> "Jeff Franks" <jfranks1970@charter.net> writes:
>
>> I have a gaming server and am trying to create an IPTABLES firewall that
>> will allow me to "ban" an IP. I have been able to do this, but the ban
>> only
>> takes place if I reboot the firewall pc.
>
> Yuck? WTF?
>
>> I need this to be something that can take effect immediately. If I have a
>> cheater/abuser in the game, I need to be able to script something so that
>> I can block all traffic from that person's IP or IP Range. From what I've
>> dug up, this should be doable with a simple :
>>
>> iptables -A INPUT -s 123.45.67.89 -j DROP
>
> Well yeah, that should work. Does what it says on the tin - appends a rule
> taking packets from that ip and drops them, to the end of the INPUT chain.
>
> Now.
>
> You might've wanted to REJECT them instead, for speed - up to you in this
> case.
>
> Depending on how many concurrent packets hitting your server are destined
> for the game rather than other services, it might make sense to peel off a
> chain and call it `abusers', so you check incoming packets first whether
> they're for the game service (by port#), then you push them through the
> game-specific abusers chain where naughty people are REJECTed/DROPped, or
> otherwise if it's not for the game, it bypasses all that processing and
> gets handled normally.
>
> Second thought: depending on what else happens in your iptables `INPUT'
> chain, you might find that appending or prepending the rule after
> everything else is daft. This is where having a separate chain for abusers
> makes sense because you can firmly stick the rule on either end of that
> chain in the knowledge that it's not messing-up your firewall order any
> further (e.g. the abuser should be able to send you a mail (25/tcp) saying
> sorry).
>
> I'm thinking in terms of my firewall script at
> <http://spodzone.org.uk/packages/secure/iptables.sh> here, but with a few
> extra lines:
>
> iptables -N abusers # somewhere near the other -N lines
>
> iptables -p tcp --dport 1234 -j abusers # deflect them through chain
> iptables -p tcp --dport 1234 -j ACCEPT # otherwise let them past
> ...
> iptables -j DROP
>
> then a paragraph of lines like:
> iptables -A abusers -s 123.45.67.89 -j REJECT
> ...etc.
>
>> I've also seen where the -SYN option should be used and I've played with
>> the ESTABLISHED and RELATED options. ANY ideas on this will be greatly
>> appreciated.
>
> I don't think you want to distinguish at all. It's enough that the
> originator of the packet has been a Bad Boy, not whether it's a new one or
> not. Reject them mid-connection, why not :)
>
> [snip entire current script]
>
> ~Tim
> --
> Famous moments vanish without trace
> |piglet@stirfried.vegetable.org.uk
> Trees grow tall, fields grow wheat |http://pig.sty.nu/

---

• Next message: Jeff Franks: "Re: Blocking incoming IP address immediately"
• Previous message: Ron Croonenberg: "Re: reverse mapping and ssh"
• In reply to: Tim Haynes: "Re: Blocking incoming IP address immediately"
• Next in thread: Bill Unruh: "Re: Blocking incoming IP address immediately"
• Reply: Bill Unruh: "Re: Blocking incoming IP address immediately"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages DNAT packets not getting to FORWARD chain ... Anyway, its a simple setup (the smoothwalls, fyi are a red hat flavour ... kernel 2.4.26, iptables v1.2.8) ... The chain policy count is zero, as are the counts for all rules in the ... packets supposedly been readdressed to 192.168.1.40 (an address I can ping ... (comp.os.linux.networking) Re: Help with Iptables on with RH linux ... iptables -P OUTPUT DROP ... INPUT only when packets have a destination IP of your firewall. ... the FORWARD chain contains rules that affect packets passing through ... Yes I flushed the rules before calling the script... ... (RedHat) Google Summer of Code 2009: Student applies to create a Better IPTables Management Tool ... a student) and select the Linux Foundation ... The tool focuses on helping the user to perceive what a particular chains of rules in a particular table does to a user specified packet. ... As the project aims for better IPtables management tool, I can contribute with my hard earned 3 years experience in maintenance of firewalls. ... The tools helps the user to either select all the rules in the chain or some particular rules and tells the impact of the application of selected rules upon the incoming/outgoing packet. ... (Linux-Kernel) Desperate need of Help for FTP ... Configuration options. ... echo 1.5 IPTables Configuration. ... # Create chain for bad tcp packets ... (comp.os.linux.security) Desperate need of Help for FTP ... Configuration options. ... echo 1.5 IPTables Configuration. ... # Create chain for bad tcp packets ... (comp.os.linux.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)