This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Banning IP

4 posts / 0 new

Topic locked

Last post

#1 Fri, 01/15/2010 - 14:43

Owdy

Banning IP

Okay, if i want to block IP or range of IPs from my site, i should ad rule to firewall, right?

So what an earth i should ad in this screen? :D http://img13.imageshack.us/img13/167/firewally.png

#2 Fri, 01/15/2010 - 14:50

andreychek

There's different ways to block a user; you could use the firewall, you can use "route" to reject ip's, and you can add rules to the .htaccess file to block ip's as well.

To use the screen you have above -- you'd just select "Drop" next to "Action to take", and then add the IP address to drop next to "Source Address or Network".

Personally, I'm a fan of typing it out on the command line:

iptables -I INPUT -s IP_address_to_drop -j DROP

But, the above screen does the same thing :-)

-Eric

#3 Fri, 01/29/2010 - 22:11

Mahalo

I add single addresses almost daily and entire /16's on some occasions. To block a range, where you enter the IP you enter xxx.xxx.xxx.0/16 or /whatever. Unfortunately it will add the rule at either the top or the bottom of your rules so if you are picky like me you need to either go into /etc/sysconfig/iptables and manually move it to where you like or you can move it one line at a time using the up and down single arrows next to the rule.

#4 Mon, 02/01/2010 - 16:22

shuja_khan

This is what I am using while searching for this solution.

http://www.experts-exchange.com/Security/Linux_Security/Q_20683396.html

Thanks to Klintan:

!/bin/bash

if [ -f badips.txt ] then for BAD_IP in cat badips.txt do iptables -A INPUT -s $BAD_IP -j DROP done else echo "Can't read badips.txt"

fi

However I would prefer that you set default policy to DROP and then only accept the god ones. Something like this.

This asumes that your network is 192.168.0.x

iptables -F iptables -t nat -F iptables -t mangle -F

iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport bootps --sport bootpc -j DROP iptables -A INPUT -i eth0 -p udp --dport bootps --sport bootpc -j ACCEPT iptables -A OUTPUT -o eth1 -p udp --dport bootps --sport bootpc -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -m state --state RELATED -j ACCEPT iptables -A OUTPUT -m state --state RELATED -j ACCEPT iptables -A FORWARD -m state --state RELATED -j ACCEPT

iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT

if [ -f godips.txt ] then for GOD_IP in cat godips.txt do iptables -A INPUT -s $GOD_IP -j ACCEPT done else echo "Can't read godips.txt"

fi

Topic locked