Changes

From SME Server
Jump to navigationJump to search

Firewall (view source)

Revision as of 10:50, 11 October 2018

1,695 bytes added ,  10:50, 11 October 2018
→‎Block incoming IP address
Line 101: Line 101:  
==Custom templates==
 
==Custom templates==
 
===Block incoming IP address===
 
===Block incoming IP address===
 +
 
*I want to block All traffic from some ip-addresses to my server.
 
*I want to block All traffic from some ip-addresses to my server.
 +
 +
====Manual Method====
 +
 
Create a custom template and list the IP's
 
Create a custom template and list the IP's
 
  mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
 
  mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
Line 117: Line 121:  
To check the new block use the following command and look for the IP address you just DROP'ed. It should be listed in the "source" column.
 
To check the new block use the following command and look for the IP address you just DROP'ed. It should be listed in the "source" column.
 
   iptables -L INPUT -v -n
 
   iptables -L INPUT -v -n
 +
 +
====Automated method====
 +
 +
The above can be automated slightly.
 +
 +
First lets create a key where we can add IPs that we want to block:
 +
 +
config set ipblock configuration status enabled DenyHosts 208.100.26.0/24 logging disabled
 +
 +
As above, create the following template:
 +
 +
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
 +
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
 +
 +
Paste this code:
 +
 +
{
 +
    use esmith::ConfigDB;
 +
    my $db = esmith::ConfigDB->open_ro || die 'Could not open configuration database';
 +
    # Completely block any riff raff
 +
    if ( ( my $status = $db->get_prop( 'ipblock', 'status' ) ) eq 'enabled' ) {
 +
        my $DenyHosts = $db->get_prop( 'ipblock', 'DenyHosts' ) || '';
 +
        my $logging  = $db->get_prop( 'ipblock', 'logging' )  || 'disabled';
 +
        foreach my $host ( split( ',', $DenyHosts ) ) {
 +
            $OUT .= "\n";
 +
            $OUT .= "    # Simple IP block for riff raff\n\n";
 +
            if ( $logging eq 'enabled' ) {
 +
                $OUT .= "    /sbin/iptables -A INPUT -s $host -j denylog\n";
 +
            }
 +
            else {
 +
                $OUT .= "    /sbin/iptables -A INPUT -s $host -j DROP\n";
 +
            }
 +
            $OUT .= "\n";
 +
        }
 +
    }
 +
}
 +
 +
You can add multiple addresses separated by commas:
 +
 +
config setprop ipblock DenyHosts 208.100.26.0/24,1.2.3.4,5.6.0.0/16
 +
 +
You can disable this blocking with:
 +
 +
config setprop ipblock status disabled
 +
 +
If you want to log the dropped packets rather than just drop them:
 +
 +
config setprop ipblock logging enabled
 +
 +
Then expand and restart your firewall:
 +
 +
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
 +
/etc/init.d/masq restart
    
===Block outgoing IPs or mac addresses===
 
===Block outgoing IPs or mac addresses===
Retrieved from "https://wiki.koozali.org/Special:MobileDiff/35879"

Navigation menu