859
edits
Changes
From SME Server
Jump to navigationJump to search→Block incoming IP address
signal-event remoteaccess-update
signal-event remoteaccess-update
{| border="1" width="100%" cellspacing="0" cellpadding="5"
{| width="100%" border="1" cellpadding="5" cellspacing="0"
|+Affected file: /etc/rc.d/init.d/masq
|+Affected file: /etc/rc.d/init.d/masq
!Variable
!Variable
!Target
!Target
!Default
!Default
!Expected values
|-
|-
|TCPPort
|TCPPort
| --proto tcp --dport <Ports>
| --proto tcp --dport <Ports>
|Pre-configured for default services; no default for custom services
|Pre-configured for default services; no default for custom services
|empty or a numerical or coma separated numbers
|-
|-
|TCPPorts
|TCPPorts
| --proto tcp --dports <Ports>
| --proto tcp --dports <Ports>
|No default for custom services; Ranges of ports are defined with a : not a -
|No default for custom services; Ranges of ports are defined with a : not a -
|empty or a numerical or coma separated numbers
|-
|-
|UDPPort
|UDPPort
| --proto udp --dport <Ports>
| --proto udp --dport <Ports>
|Pre-configured for default services; no default for custom services
|Pre-configured for default services; no default for custom services
|empty or a numerical or coma separated numbers
|-
|-
|UDPPorts
|UDPPorts
| --proto udp --dports <Ports>
| --proto udp --dports <Ports>
|No default for custom services; Ranges of ports are defined with a : not a -
|No default for custom services; Ranges of ports are defined with a : not a -
|empty or a numerical or coma separated numbers
|-
|-
|status
|status
|enabled | disabled
| enabled | disabled
|AllowHosts is set to "" (an empty string) unless the status is 'enabled'
|AllowHosts is set to "" (an empty string) unless the status is 'enabled'
|'enabled' or 'disabled'
|-
|-
|access
|access
|public | private
| public | private
|AllowHosts is set to "" (an empty string) unless access is 'public'
|AllowHosts is set to "" (an empty string) unless access is 'public'
|'private' for localhost and local network only (Server and gateway mode), 'public' for everywhere, 'localhost' for localhost only
|-
|-
|AllowHosts
|AllowHosts
| --src ..... --jump ACCEPT
| --src ..... --jump ACCEPT
|Pre-configured for default services; no default for custom services. Default is '0.0.0.0/0' if service is ''enabled'' and ''public''.
|Pre-configured for default services; no default for custom services. Default is '0.0.0.0/0' if service is ''enabled'' and ''public''.
|IP and netmask with this format 0.0.0.0/0, or coma separated list of these elements
|-
|-
|DenyHosts
|DenyHosts
| --src ..... --jump denylog
| --src ..... --jump denylog
|Pre-configured for default services; no default for custom services. If 'DenyHosts' is empty or does not exist then there are no '... --jump denylog' entries created in /etc/init.d/masq.
|Pre-configured for default services; no default for custom services. If 'DenyHosts' is empty or does not exist then there are no '... --jump denylog' entries created in /etc/init.d/masq.
|IP and netmask with this format 0.0.0.0/0, or coma separated list of these elements
|}
|}
==Custom templates==
==Custom templates==
===Block incoming IP address===
===Block incoming IP address===
*I want to block All traffic from some ip-addresses to my server.
*I want to block All traffic from some ip-addresses to my server.
====Manual Method====
Create a custom template and list the IP's
Create a custom template and list the IP's
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
To check the new block use the following command and look for the IP address you just DROP'ed. It should be listed in the "source" column.
To check the new block use the following command and look for the IP address you just DROP'ed. It should be listed in the "source" column.
iptables -L INPUT -v -n
iptables -L INPUT -v -n
====Automated method====
The above can be automated slightly.
First lets create a key where we can add IPs that we want to block:
config set ipblock configuration status enabled DenyHosts 208.100.26.0/24 logging disabled
As above, create the following template:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
Paste this code:
{
use esmith::ConfigDB;
my $db = esmith::ConfigDB->open_ro || die 'Could not open configuration database';
# Completely block any riff raff
if ( ( my $status = $db->get_prop( 'ipblock', 'status' ) ) eq 'enabled' ) {
my $DenyHosts = $db->get_prop( 'ipblock', 'DenyHosts' ) || '';
my $logging = $db->get_prop( 'ipblock', 'logging' ) || 'disabled';
foreach my $host ( split( ',', $DenyHosts ) ) {
$OUT .= "\n";
$OUT .= " # Simple IP block for riff raff\n\n";
if ( $logging eq 'enabled' ) {
$OUT .= " /sbin/iptables -A INPUT -s $host -j denylog\n";
}
else {
$OUT .= " /sbin/iptables -A INPUT -s $host -j DROP\n";
}
$OUT .= "\n";
}
}
}
You can add multiple addresses separated by commas:
config setprop ipblock DenyHosts 208.100.26.0/24,1.2.3.4,5.6.0.0/16
You can disable this blocking with:
config setprop ipblock status disabled
If you want to log the dropped packets rather than just drop them:
config setprop ipblock logging enabled
Then expand and restart your firewall:
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
===Block outgoing IPs or mac addresses===
===Block outgoing IPs or mac addresses===
[[Category:Howto]]
[[Category:Howto]]
[[Category:Administration]]
[[Category:Administration]]
[[Category:Security]]</noinclude>
[[Category:Security]]
</noinclude>
