| Frank Szczerba on 3 Feb 2012 13:36:33 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Quick& dirty IP blocking |
On Feb 3, 2012, at 4:22 PM, bergman@merctech.com wrote:
> In the message dated: Fri, 03 Feb 2012 15:26:53 EST,
> The pithy ruminations from JP Vossen on
> <Re: [PLUG] Quick& dirty IP blocking> were:
> => > Date: Fri, 3 Feb 2012 09:09:35 -0500
> => > From: "Paul W. Roach III"<paul@isaroach.com>
> => >
[SNIP!]
> =>
> =>
> => > The iptables equivalent would be:
> => >
> => > iptables -A INPUT -s 192.168.192.0/24 -j DROP
>
> Careful there! That command will append the rule to the end of the iptables
> INPUT chain. Rules are processed in order. If there's an earlier rule
> in that chain that would allow the evil packets, then they will not be
> blocked by the later rule. For example, consider:
>
> iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -s 192.168.192.0/24 -j DROP
>
> With those two rules, traffic from all hosts in 192.168.192.0/24 to port
> 139 will be dropped, but the SSH attack will still be delivered.
Fix that by doing
iptables -I INPUT -s 192.168.192.0/24 -j DROP
which will insert the rule at the start of the INPUT chain instead of the end.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug