Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blocking IP's using iptables command, how? 2

Status
Not open for further replies.
nerbonne

nerbonne

Technical User
Dec 11, 2006
99
US
Hi, I've seen some references to blocking IP's using a command called iptables. I was wondering if anyone could tell me the exact format of the command since someone from Bulgaria is trying to exploit phpMyAdmin. I am running Fedora Core 1 and Apache with Plesk 7.

Thanks.
 
Sort by date Sort by votes
OK ,

you may also consider changing PHPmyadmin's port as the unwanted visitor may be using a DSL with dynamic address

anyway here is what you do assumng that your phpmyadmin/php system is the same that connectes to the internet


xx = phpmyadmin/web port on your system (normally 80)
xxx-xxx-xxx-xxx = the address from which the attacks are carried out

iptables -A INPUT -p tcp --dport xx -s xxx-xxx-xxx-xxx -j DROP

This if your configuration is simple(i.e. one only linux box running your internet connection, web server, phpmyadmin and so on) if you have a different configuration please post clear info about your network setup.

QatQat

Life is what happens when you are making other plans.
 
Upvote 0 Downvote
Hi,

Your right, my box is fairly simple. I performed the command as instructed and it appeared to work. I'm sure that the attacker is on DSL, but if it comes down to that, I'll probably just block his entire ISP range since I don't have clients from Bulgaria anyway and I could care less.

Is blocking ranges possible? Also, is there a command to print the current config so I can verify the settings?

Thanks for you previous help as well.
 
Upvote 0 Downvote
OK,

to print the ecurrent config
for the filter table
Code: 
iptables -L

for the nat table
Code: 
iptables -t nat -L

commands are obviously case sensitive

To block a range you can use somthing like this

Code: 
iptables - A INPUT -m iprange --src-range xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx -j DROP

or, quicker and easier but to use carefully as it may block legitimate traffic, to block all addresses in an ip group (example 165.xxx.xxx.xxx)

Code: 
iptables -A INPUT -s 165.0.0.0 -p tcp --dport 80 -j DROP

Cheers

QatQat


Life is what happens when you are making other plans.
 
Upvote 0 Downvote
Can you tell me how to make the changes permanent since it seems that the IP's I add are gone after a server reboot.
 
Upvote 0 Downvote
If I'm not mistaken, when iptables starts up, it will read the rules from /etc/sysconfig/iptables. iptables-save is a command to dump the current iptables settings to a file. So, iptables-save > /etc/sysconfig/iptables should do the trick.

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--
 
Upvote 0 Downvote
Quick one

Code: 
service iptables save

This takes care of writing your config to /etc/sysconfig/iptables




QatQat



Life is what happens when you are making other plans.
 
Upvote 0 Downvote
The only problem with using "service iptables save" is that it overwrites my previous saves. How can I just append to my file? Should I just edit /etc/sysconfig/iptables by hand?
 
Upvote 0 Downvote
I would suggest that you write a small bash script that will bootstrap iptables. Any changes/amendments should be made to this file first for testing and later committed to iptable's own configuration file if all is well. This way, if you messed something up, just do a service iptables restart to revert back to your old settings quickly.

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--
 
Upvote 0 Downvote
How could I block an entire ISP, say 163data.com.cn (since they are #4 on the Spamcop list)?
 
Upvote 0 Downvote
do a dig 163data.com.cn and get it's IP. 163data.com.cn didn't return any results for me but 163.com did - 220.181.29.154. Next go to lookup the first octet of the IP under the "Internet Protocol v4 Address Space". There you will see that 210/8 Jun 96 APNIC (whois.apnic.net) is under APNIC jurisdiction. Back to iana's main page and follow the link to APNIC site. Do a whois search on the full IP address you got from dig. APNIC tells me that the IP belongs to CHINANET-IDC-BJ and it controlls IP adresses 220.181.0.0 to 220.181.255.255.

Now that you have all the information you need:
iptables -A INPUT -p tcp -m iprange --src-range 220.181.0.0-220.181.255.255 -j DROP
should do what you need.

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
734
gbaughma
gbaughma
ady2012
  • Locked
  • Question
Change the service sequences started on boot using centos 6
Replies
0
Views
164
ady2012
ady2012
henzen
  • Locked
  • Question
Using mod_sed on both in/out filtering on same site
Replies
1
Views
159
feherke
feherke
bobby320
  • Locked
  • Question
Disable WebDAV for get request or certain source IP's
Replies
0
Views
105
bobby320
bobby320
vodkadrinker
  • Locked
  • Question
listing commands hang
Replies
1
Views
138
AvayaTier3
AvayaTier3

Part and Inventory Search

Sponsor

Back
Top