OpenSUSE Linux Tips, tricks, how-tos, opinions, and news
My Resume - My LinkedIn ProfileOnce in awhile, it’s nice to block hostile machines on the kernel level. Specifically, this is done with iptables or ipchains. Iptables if you are living in this millenium.
If a specific host is known to be hostile, execute the ‘whois’ command on the ip address. This will give you the IP range of the organization assigned the ip block to which the offending ip belongs. If it is outside of the country and you only service clients inside your country, it doesn’t hurt to block the whole ip range. So, we’re going to block a hostile block from China. As root, run the following command:
iptables -I INPUT -s 125.71.214.0/24 -j DROP
Why not REJECT instead of drop? This adds a rule to the firewall that simply drops the packets. This is more annoying to the other end because they never get a response. If you explicitly reject the packets, they get a message to the effect instantaneously. You want them to have to wait. It slows them down, which is bad for them.
To list the rules in the INPUT chain:
iptables –line-numbers -L INPUT
To delete a rule from the INPUT chain:
iptables -D INPUT [line number]
ex. iptables -D INPUT 1
Would delete the first rule in the INPUT chain.
Cool subnet calculator at : http://www.subnet-calculator.com/
Helpful comments with more useful or better commands welcome.
S | M | T | W | T | F | S |
---|---|---|---|---|---|---|
« Feb | ||||||
1 | 2 | 3 | 4 | 5 | ||
6 | 7 | 8 | 9 | 10 | 11 | 12 |
13 | 14 | 15 | 16 | 17 | 18 | 19 |
20 | 21 | 22 | 23 | 24 | 25 | 26 |
27 | 28 | 29 | 30 | 31 |
60 queries. 0.649 seconds
July 14th, 2009 at 8:28 pm
Hi Scott,
ipcalc and sipcalc are command line subnet calculators availble in the OBS.
July 14th, 2009 at 10:01 pm
henare,
Hey, thanks. Great point. Thanks for stopping by!
July 15th, 2009 at 4:06 pm
[…] wrote about iptables and how to block hostile machines at the kernel level. He then mentioned a cool little tool called Online IP Subnet Calulator. It would have been […]
August 9th, 2009 at 12:06 am
Don’t know whether it is the perfect place to ask question,
But while enhancing security of my temporary folder in the post described in http://www.sysadmin.md/secure-temporary-folders-on-existing-unix-or-linux-systems.html my redirection fails. This commands always fails
echo “/mnt/tmp /tmp ext3 loop,noexec,nosuid,rw 0 0” >> /etc/fstab
Can anybody please tell my why?
August 9th, 2009 at 12:07 am
My another question is, how I can make it work string for big file? while enhancing security of my temporary folder in the post described in http://www.sysadmin.md/secure-temporary-folders-on-existing-unix-or-linux-systems.html my redirection fails. This commands always fails
echo “/mnt/tmp /tmp ext3 loop,noexec,nosuid,rw 0 0” >> /etc/fstab
Can anybody please tell my why?