|
Home > Archive > Red Hat General > July 2004 > Blocking IP address with iptables.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Blocking IP address with iptables.
|
|
| Richard Gutery 2004-06-29, 9:58 am |
| G'day. I have been trying to get an answer for this.
I am form the Microsoft and OpenBSD world and have recently begun
using RH7.3 for my firewall.
I need to block an Internet Address.
In OpenBSD I would use -> 'block out quick on ethx ...'
I have theses two rules in my iptables file:
$IPT -t filter -A INPUT -p tcp -s 0/0 -d 64.246.26.185 --dport 80 -m
limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s 64.246.26.185 -d 0/0 --dport 80 -m
limit --limit 2/minute -j $STOP
$STOP and $IPT are macro substitutions that works for everything else,
so I know that's not the problem.
What am I missing?
tx in advance.
RG
| |
|
| Richard Gutery wrote:
> I have theses two rules in my iptables file:
>
> $IPT -t filter -A INPUT -p tcp -s 0/0 -d 64.246.26.185 --dport 80 -m
> limit --limit 2/minute -j $STOP
> $IPT -t filter -A OUTPUT -p tcp -s 64.246.26.185 -d 0/0 --dport 80 -m
> limit --limit 2/minute -j $STOP
>
> $STOP and $IPT are macro substitutions that works for everything else,
> so I know that's not the problem.
>
I'm not sure why you're using the limit match, but the following should
work:
$IPT -A INPUT -p tcp -d 64.246.26.185 --dport 80 -j $STOP
$IPT -A INPUT -p tcp -s 64.246.26.185 --sport 80 -j $STOP
... assuming the $STOP variable is "REJECT" or "DENY" or a custom target.
These two rules stop TCP packets destined for, or origination from, the
remote webserver. If you wanted to block *any* traffic to and from the
host, just omit the -p tcp and --dport 80/--sport 80 arguements. Oh, and
you can omit -t filter, since the filter table is assumed by default.
HTH,
pete
|
|
|
|
|