Alexander Farber
2011-Apr-25 16:03 UTC
[CentOS] Blocking an IP address both as source and destination
Hello, how do you block incoming AND outgoing traffic to a site? I have 2 drop lines for a site in my /etc/sysconfig/iptables: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [294:35064] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s xx.xx.xx.0/24 -j DROP -A INPUT -d xx.xx.xx.0/24 -j DROP -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT COMMIT but for some reason still can "ping xx.xx.xx.1" and "ssh xx.xx.xx.1" prints "ssh: connect to host xx.xx.xx.1 port 22: Connection refused" immediately, which probably means my packets aren't dropped at all. Using CentOS 5.6/64 bit Thank you Alex
Stephen Harris
2011-Apr-25 16:18 UTC
[CentOS] Blocking an IP address both as source and destination
On Mon, Apr 25, 2011 at 06:03:29PM +0200, Alexander Farber wrote:> Hello, > > how do you block incoming AND outgoing traffic to a site? > > I have 2 drop lines for a site in my /etc/sysconfig/iptables: > > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [294:35064] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -s xx.xx.xx.0/24 -j DROP > -A INPUT -d xx.xx.xx.0/24 -j DROP > -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports > 80,8080 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags > FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT > COMMIT > > but for some reason still can "ping xx.xx.xx.1" and > "ssh xx.xx.xx.1" prints > "ssh: connect to host xx.xx.xx.1 port 22: Connection refused" > immediately, which probably means my packets aren't dropped at all.To block outgoing traffic (traffic originating on this host destined for another machone) you need to add rules to the OUTPUT filter. -- rgds Stephen
Apparently Analagous Threads
- Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?
- Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?
- Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?
- iptables.service listed as: not-found inactive dead
- Adding comments to /etc/sysconfig/iptables