[Firehol-support] use firehol to drop packets to/from a single host
Costa Tsaousis
costa at tsaousis.gr
Wed Jul 30 20:44:14 BST 2003
Hi Mike,
There are several ways to do this.
To disable all incoming and outgoing traffic from/to a list of hosts, I
suggest this:
--- snip ---
blacklist="192.168.1.1 another.host a.3rd.host"
interface any src "${blacklist}"
--- snip ---
Place this before your first interface definition.
This is enough (not server/clients required), although your logs will log
all attempts.
If you want control on which services to reject globally (and get rid of
the logs), use this:
--- snip ---
blacklist="192.168.1.1 another.host a.3rd.host"
interface any src "${blacklist}"
policy return
# the means that whatever not dropped explicitly bellow
# will continue to other interfaces bellow.
server ping drop
server http drop
# notice that here we DROP
# interfaces bellow may ACCEPT traffic normally.
--- snip ---
Both the above will block BOTH incomming and outgoing traffic (he will not
be able to ping you, you will not be able to ping him)
To block routed traffic you have to have a similar router statement.
A different approach is to go to the interface/router that matches the bad
host and place a "server any ... drop" at the top within this
interface/router. Example:
--- snip ---
lan_blacklist="192.168.1.1 192.168.1.2"
interface eth0 mylan src "192.168.1.0/24"
policy reject # or any other, including accept
# this is your black list
server any badguy drop src "${lan_blacklist}"
server http accept
etc...
--- snip ---
with this, he will not be able to ping you, but you will be able to ping
him ;-) For the blacklisted hosts you will not exist, but you can use
normally all the services they offer. You can do the same on routers.
--
Costa Tsaousis
> I use firehol for it's basic ruleset. Is there a trick to simply deny
> traffic to/from a single host?
>
> I tried the following line at the end of my firehol script:
>
> iptables -A OUTPUT -d 192.168.1.1 -j DROP
>
>
>
> ...but I can still ping 192.168.1.1 from the box.
>
> Thanks,
> Mike
>
More information about the Firehol-support
mailing list