[Firehol-support] use firehol to drop packets to/from a single host

Costa Tsaousis costa at tsaousis.gr
Wed Jul 30 20:49:45 BST 2003


I have made a few syntax errors:

interface any NAME src ...

I forgot to give a NAME to the first two examples.

Sorry...

-- 
Costa Tsaousis


> Hi Mike,
>
> There are several ways to do this.
>
> To disable all incoming and outgoing traffic from/to a list of hosts, I
> suggest this:
>
> --- snip ---
>
> blacklist="192.168.1.1 another.host a.3rd.host"
> interface any src "${blacklist}"
>
> --- snip ---
>
> Place this before your first interface definition.
> This is enough (not server/clients required), although your logs will log
> all attempts.
>
> If you want control on which services to reject globally (and get rid of
> the logs), use this:
>
> --- snip ---
>
> blacklist="192.168.1.1 another.host a.3rd.host"
> interface any src "${blacklist}"
>    policy return
>    # the means that whatever not dropped explicitly bellow
>    # will continue to other interfaces bellow.
>
>    server ping drop
>    server http drop
>
>    # notice that here we DROP
>    # interfaces bellow may ACCEPT traffic normally.
>
> --- snip ---
>
> Both the above will block BOTH incomming and outgoing traffic (he will not
> be able to ping you, you will not be able to ping him)
> To block routed traffic you have to have a similar router statement.
>
>
> A different approach is to go to the interface/router that matches the bad
> host and place a "server any ... drop" at the top within this
> interface/router. Example:
>
> --- snip ---
>
> lan_blacklist="192.168.1.1 192.168.1.2"
>
> interface eth0 mylan src "192.168.1.0/24"
>    policy reject # or any other, including accept
>
>    # this is your black list
>    server any badguy drop src "${lan_blacklist}"
>
>    server http accept
>    etc...
>
> --- snip ---
>
> with this, he will not be able to ping you, but you will be able to ping
> him ;-) For the blacklisted hosts you will not exist, but you can use
> normally all the services they offer. You can do the same on routers.
>
> --
> Costa Tsaousis
>
>
>> I use firehol for it's basic ruleset.   Is there a trick to simply deny
>> traffic to/from a single host?
>>
>> I tried the following line at the end of my firehol script:
>>
>> iptables -A OUTPUT -d 192.168.1.1 -j DROP
>>
>>
>>
>> ...but I can still ping 192.168.1.1 from the box.
>>
>> Thanks,
>> Mike
>>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>





More information about the Firehol-support mailing list