- Posts: 7
- Thank you received: 0
IPCOP - How to block IP address's, ranges etc...
In Coyote, under the Advanced Firewall area, there was a way to block certain IP addresses from connecting to my network. I am not looking to block out going stuff, which Coyote allows as well. I am particularly looking to block Internet IP addresses (like problem Clients that connect to a webpage or game server that I occasionally run) If I could block entire IP ranges, that would be nice as well. In searching through the posts here, it appears as though I may have to do something with an IPTABLE?? I think? I don't see anywhere in the IPCOP admin pages that allow you to do this, or I am just totally missing it. If someone could give me a starting place, I would greatly appreciate it. I do know how to connect to the IPCOP machine via Putty or WinSCP3 (at least I think I can remember) so if someone can give me a push from there if I have to do something via the IPTABLE route, that would be great.
Thanks
-M
In order to block TCP packets from the IP range 192.168.111.13 to 192.168.111.19, you will have to add a command of this form to the example config file:
[code:1]
$IPT -A CUSTOMINPUT -i $RED_DEV -p tcp -m iprange --src-range 192.168.111.13-192.168.111.19 -j DROP
[/code:1]
Note that the above code uses some variables which have been predefined in the example config file in the linked post.
I tried what you suggested but I can't get it to seem to do anything.
Here is a copy of the file I uploaded. Mod is 0755 same as original.
[code:1]
#!/bin/sh
#variables defined therein
. /var/ipcop/ethernet/settings
# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD
# shorthand helper
$IPT="/sbin/iptables"
# echo-reply
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 0 -j DROP
# echo-request
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 8 -j DROP
# Now accept the three(3) good ones
# destination-unreachable
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 3 -j ACCEPT
# redirect
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 5 -j ACCEPT
# time exceeded
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 11 -j ACCEPT
# Drop all other ICMP type data
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp -j DROP
# drop any tcp/udp packets to ports 135 - 137
$IPT -A CUSTOMINPUT -i $RED_DEV -p tcp --dport 135:137 -j DROP
$IPT -A CUSTOMINPUT -i $RED_DEV -p udp --dport 135:137 -j DROP
#restrict outgoing access
#allow full access for specific IPs
#PC1 - 192.168.111.1
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.1 -o $RED_DEV -j ACCEPT
#PC2 - 192.168.111.2
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.2 -o $RED_DEV -j ACCEPT
#allow limited access for specific IPs - in this case 192.168.111.3 tcp ports 20,21
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.3 -o $RED_DEV -p tcp --dport 21 -j ACCEPT
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.3 -o $RED_DEV -p tcp --dport 20 -j ACCEPT
#bar access for Internal IPs
$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.20 -o $RED_DEV -j DROP
#bar access from Internet IP Range
$IPT -A CUSTOMINPUT -i $RED_DEV -p tcp -m iprange --src-range 12.111.51.193-12.111.51.206 -j DROP
[/code:1]
I then opened putty and executed the file with:
root@ipcop:~ # . /etc/rc.d/rc.local
It seemed to work okay as far as executing but then when I try to go to the Internet from the machine at the 192.168.0.20 IP I could access webpages and surf at will.
I tried to then connect to my home IP Network from one of the 12.111.51.193-206 IP's and I was able to connect fine as well. Do I have to restart the IPCOP everytime I make a change or can I just rerun the rc.local file? What am I doing wrong?
Where can I find a good "how to" for IPCop iptable editing?
-M
[code:1]
$IPT -A CUSTOMINPUT -i $RED_DEV -p tcp -m iprange --src-range 12.111.51.193-12.111.51.206 -j DROP
[/code:1]
the blocking command should be:
[code:1]
$IPT -A CUSTOMFORWARD -i $RED_DEV -p tcp -m iprange --src-range 12.111.51.193-12.111.51.206 -j DROP
[/code:1]
You will notice I replaced CUSTOMINPUT with CUSTOMFORWARD. The CUSTOMINPUT chain (which is added to the INPUT chain) deals with connections that are intended to terminate at the IPCOP i.e. SSH, Web admin. The CUSTOMFORWARD chain (which is added to the FORWARD chain) on the other hand deals with connections that are to be forwarded to other hosts, as in the case of port forwards to hosts behind your IPCOP.
As for this:
... when I try to go to the Internet from the machine at the 192.168.0.20 IP I could access webpages and surf at will.
If the Squid Proxy is enabled, web access will still be possible. You will need to make sure that the proxy is either turned off or you can set the appropriate access rules in /var/ipcop/proxy/acl. I can provide help with this if required.
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
time patch
This patch by Fabrice MARIE <fabrice@netfilter.org> adds a new match that allows you to match a packet based on its arrival or departure (for locally generated packets) timestamp.
for example, to accept packets that have an arrival time from 8:00H to 18:00H from Monday to Friday you can do as follows :
# iptables -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere TIME from 8:0 to 18:0 on Mon,Tue,Wed,Thu,Fri
Supported options for the time match are :
--timestart value
-> minimum HH:MM
--timestop value
-> maximum HH:MM
--days listofdays
-> a list of days to apply, from (case sensitive)
Mon
Tue
Wed
Thu
Fri
Sat
Sun
It is an extra patch available with the patch-o-matic (never tried it). It could also be possible to use some script-wrapper to add/remove rules based on time instead, but the builtin patch should be more efficient.