Gentoo Archives: gentoo-security

From: Neil Cherry <ncherry@×××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Tue, 04 Oct 2005 18:03:12
Message-Id: 4342C172.1030707@comcast.net
In Reply to: Re: [gentoo-security] [OT?] automatically firewalling off IPs by Dave Strydom
1 Dave Strydom wrote:
2 > Which brings me back to my original idea, of only allowing your IP's to
3 > connect to SSH on your servers, and just drop everything else, problem
4 > solved.
5
6 I do something along those lines. At my firewall/router I have a
7 rule that blocks private IP (and MS's 169 IP address). Other
8 addresses are permitted through but all are logged. This script
9 is on my ssh server for further protection (see below). I used
10 to do a type of blacklisting (still do) but I haven't had any
11 new entries since I started using this. BTW, I had a large
12 number of IP's from China, Korea, Japan, Singapore, Brazil and
13 a few other Asian countries. So blocking IP's (networks, not
14 individual IP's) became unmanageable.
15
16 Here's what I do (it's been trimmed and I broke the lines with \):
17
18 # Allow these site access to my machine
19 # -state NEW
20
21 permit() {
22 # I want to log just the start of the conversation
23 /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG --syn \
24 --log-level info --log-prefix "iptables permit: " \
25 --log-ip-options
26 /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j ACCEPT
27 }
28
29 # Deny these sites access to my machine
30 deny() {
31 /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG \
32 --log-level alert --log-prefix "iptables deny: " \
33 --log-ip-options
34 /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j DROP
35 }
36
37 # =[ Flush the tables completely ]============================================
38 /sbin/iptables -F
39
40 # =[ Permit list ]============================================================
41 #permit 127.0.0.0/8 # Local stuff
42 permit 10.0.0.0/8 # Local stuff
43 permit 172.16.0.0/12 # Local stuff
44 permit 192.168.0.0/16 # Local stuff
45
46 # =[ Deny list ]==============================================================
47 deny 0.0.0.0/0 # Deny everyone else
48
49
50 exit 0
51
52
53 --
54 Linux Home Automation Neil Cherry ncherry@×××××××.net
55 http://home.comcast.net/~ncherry/ (Text only)
56 http://hcs.sourceforge.net/ (HCS II)
57 http://linuxha.blogspot.com/ My HA Blog
58 --
59 gentoo-security@g.o mailing list