Hi all,
I now have Shorewall working and working beautifully thanks to Tom for the
excellent support. Now I want to extend this a little so I can use iptables
in a dynamic way. I am already doing this, but if I reset shorewall for any
reason, I then have to manually "remember" to create my own
user_defined
chains or my user defined rules that run via scripts won''t work.
Here''s an
example of what I''m doing now:
1st I start shorewall (of course this starts at startup automatically):
/etc.rc.d/init.d/shorewall start
Next I create my own chain:
/sbin/iptables -N mychain
I then insert this to INPUT
/sbin/iptables -I INPUT -j mychain
I then have a script that runs every 60 seconds that parses specific http
log files that I have custom generated. If it finds an IP doing something
it''s not suppose to do (like a robot pounding the Web server), the
script
simply does this:
/sbin/iptables -I greedy -p tcp -dport 80 -s 123.123.123.123 -j DROP
it also logs this activity in a MySQL table for administrative review.
Depending on what this IP was doing he will most likely be given access
again in 5 minutes. If this same IP continues to abuse the system we block
him permenately and send an email to the system administrator so we can
evaluate why the block took place and adjust our rules if necessary or just
leave the dude blocked and add him to our blacklist.
This is working perfectly and has really helped us cut down and almost
eliminate abuse on our http server. We have used similar techniques to block
specific users from bandwidth abuse and and any other rule we decide to
impose. In fact we have some users who access the net from their home
through out network and when they let their children access the Web they
have a Web based access control panel so they can put their connection on
"child safe" rules which blocks their access to servers not
appropriate to
children. Also the user can add domain names to their own block list as well
as take away from their list. Users love it.
My problem isn''t with shorewall or iptables. The problem is that
sometimes
there is a need to refresh shorewall and when this is done it also removes
our user_defined chain. I''m not worried about the rules being lost when
this
happens because we can refresh the rules. Sure I could write another script
testing for the chain and then creating it if it is not there or I could
modify shorewall''s startup script, but if I modify shorewall''s
startup and
then when we update, we may forget about this and our chains would be lost.
If I can add these chains to one of the configuration files (ie,
/etc/shorewall/) that would be great and make administration a little easier
between machines. I did try to use icmpdef to do this, but it only creates
the new chain and doesn''t "-I"nsert it to INPUT.
Any ideas how to have this automated so I don''t have to remember to
re-enable my chains?
Thanks again and Tom your shorewall is working GREAT!
Karen
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx