If you want to blacklist some IPs, you can put them into PAROLE. I would create a "BLACKLIST" chain, and DROP IPs there, and call that chain near the top of the INPUT chain. (after the ESTABLISHED and RELATED rule, for performance reasons, especially if you want to blacklist many).
> -----Original Message----- > From: Tore Nilsson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday 4 December 2002 15:19 > To: DEFFONTAINES Vincent > Cc: [EMAIL PROTECTED] > Subject: Re: IPTables configuration. > > > Hi! > > The machine is a standalone web server. I've been getting a bunch of > portscans and some weird logs in my webserver logs. I'd like to block > those ip's completely. However, I'm nut quite sure where in > this setup I'd > put them. I was thinking they'd go into PAROLE. > > Here's the output of "iptables -L -n -v": > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DROP tcp -- !lo * 0.0.0.0/0 > 127.0.0.0/8 > 74607 20M ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 1 208 ACCEPT all -- lo * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 DROP all -- * * 224.0.0.0/4 > 0.0.0.0/0 > 331K 39M PUB_IN all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 2 packets, 244 bytes) > pkts bytes target prot opt in out source > destination > 77803 17M PUB_OUT all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 > > Chain INT_IN (0 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain INT_OUT (0 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain PAROLE (4 references) > pkts bytes target prot opt in out source > destination > 443 22260 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain PUB_IN (1 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 3 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 0 > 1 56 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 11 > 384 19428 PAROLE tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 > 5 240 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:23 state INVALID,NEW limit: avg > 5/sec burst 8 LOG > flags 0 level 4 prefix `audit' > 51 2524 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:21 state INVALID,NEW limit: avg > 5/sec burst 8 LOG > flags 0 level 4 prefix `audit' > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:143 state INVALID,NEW limit: avg > 5/sec burst 8 > LOG flags 0 level 4 prefix `audit' > 3 140 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:110 state INVALID,NEW limit: avg > 5/sec burst 8 > LOG flags 0 level 4 prefix `audit' > 7 332 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:79 state INVALID,NEW limit: avg > 5/sec burst 8 LOG > flags 0 level 4 prefix `audit' > 6 360 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:111 state INVALID,NEW limit: avg > 5/sec burst 8 > LOG flags 0 level 4 prefix `audit' > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:512 state INVALID,NEW limit: avg > 5/sec burst 8 > LOG flags 0 level 4 prefix `audit' > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:513 state INVALID,NEW limit: avg > 5/sec burst 8 > LOG flags 0 level 4 prefix `audit' > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:98 state INVALID,NEW limit: avg > 5/sec burst 8 LOG > flags 0 level 4 prefix `audit' > 7 380 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 state INVALID,NEW limit: avg > 5/sec burst 8 LOG > flags 0 level 4 prefix `audit' > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:1980 state INVALID,NEW limit: avg > 5/sec burst 8 > LOG flags 0 level 4 prefix `audit' > 0 0 LOG udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:31337 state INVALID,NEW limit: avg > 5/sec burst 8 > LOG flags 0 level 4 prefix `audit' > 145 47167 DROP icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 > 331K 39M DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain PUB_OUT (1 references) > pkts bytes target prot opt in out source > destination > 77803 17M ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > ----- Original Message ----- > From: "DEFFONTAINES Vincent" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 04, 2002 2:45 PM > Subject: RE: IPTables configuration. > > > > To correctly audit your configuration, I need an output of > > "/sbin/iptables -L -n -v" > > The mere "/sbin/iptables -L [-n]" is not sufficient to me, > cause it won't > > reveal the per interface filters. > > > > Vincent > > > > > > > > > > > -----Original Message----- > > > From: Tore Nilsson [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday 4 December 2002 14:23 > > > To: [EMAIL PROTECTED] > > > Subject: IPTables configuration. > > > > > > > > > Hello! > > > > > > Can someone review my iptables configuration and give suggestions? > > > Btw. if I'd want to block someone completely using this > configuration > > > should I put them in "Parole" by using this command: > > > > > > iptables -A PAROLE -s [ip-number] -j DROP > > > > > > //Tore Nilsson > > > > > > here's my configuration. btw, it was made with Bastille: > > > > > > Chain INPUT (policy DROP) > > > target prot opt source destination > > > DROP tcp -- anywhere 127.0.0.0/8 > > > ACCEPT all -- anywhere anywhere state > > > RELATED,ESTABLISHED > > > ACCEPT all -- anywhere anywhere > > > DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere > > > PUB_IN all -- anywhere anywhere > > > DROP all -- anywhere anywhere > > > > > > Chain FORWARD (policy DROP) > > > target prot opt source destination > > > ACCEPT all -- anywhere anywhere state > > > RELATED,ESTABLISHED > > > DROP all -- anywhere anywhere > > > > > > Chain OUTPUT (policy ACCEPT) > > > target prot opt source destination > > > PUB_OUT all -- anywhere anywhere > > > > > > Chain INT_IN (0 references) > > > target prot opt source destination > > > ACCEPT icmp -- anywhere anywhere > > > DROP all -- anywhere anywhere > > > > > > Chain INT_OUT (0 references) > > > target prot opt source destination > > > ACCEPT icmp -- anywhere anywhere > > > ACCEPT all -- anywhere anywhere > > > > > > Chain PAROLE (4 references) > > > target prot opt source destination > > > ACCEPT all -- anywhere anywhere > > > > > > Chain PUB_IN (1 references) > > > target prot opt source destination > > > ACCEPT icmp -- anywhere anywhere icmp > > > destination-unreachable > > > ACCEPT icmp -- anywhere anywhere > > > icmp echo-reply > > > ACCEPT icmp -- anywhere anywhere icmp > > > time-exceeded > > > PAROLE tcp -- anywhere anywhere > > > tcp dpt:www > > > LOG tcp -- anywhere anywhere > > > tcp dpt:telnet > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > LOG tcp -- anywhere anywhere > > > tcp dpt:ftp > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > LOG tcp -- anywhere anywhere > > > tcp dpt:imap2 > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > LOG tcp -- anywhere anywhere > > > tcp dpt:pop3 > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > LOG tcp -- anywhere anywhere > > > tcp dpt:finger > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > LOG tcp -- anywhere anywhere > > > tcp dpt:sunrpc > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > LOG tcp -- anywhere anywhere > > > tcp dpt:exec > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > LOG tcp -- anywhere anywhere > > > tcp dpt:login > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > LOG tcp -- anywhere anywhere tcp > > > dpt:linuxconf state INVALID,NEW limit: avg 5/sec burst 8 LOG > > > level warning > > > prefix `audit' > > > LOG tcp -- anywhere anywhere > > > tcp dpt:ssh > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > LOG tcp -- anywhere anywhere > > > tcp dpt:1980 > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > LOG udp -- anywhere anywhere > > > udp dpt:31337 > > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > > prefix `audit' > > > DROP icmp -- anywhere anywhere > > > DROP all -- anywhere anywhere > > > > > > Chain PUB_OUT (1 references) > > > target prot opt source destination > > > ACCEPT all -- anywhere anywhere > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > > > [EMAIL PROTECTED] > > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
