So I was trying to block a specific ip address from accessing my server and initially wanted to know if there was a way to do this in YAST with the firewall settings. In the meantime I issued the terminal command (as root) to block one of my internal home machines as a test:
iptables -I INPUT -s 192.168.1.114 -j DROP
Come to find out, the machine with the above IP address can STILL access my server??? Is there something else I need do for this to work?
Having the contents of the following will also likely be useful, again,
in SUSE Paste (after implementing your rule):
sudo /usr/sbin/iptables -L
As a note using the following rule worked perfectly on my system when
using a valid IP for my network:
sudo /usr/sbin/iptables -I INPUT -s 192.168.1.114 -j DROP
I tested this by running tcpdump in another window after telling the
blocked machine to ping me constantly. tcpdump picks up packets before
the firewall filters them out from the INPUT table, but you can tell it
is working because the machine doing the blocking no longer responds to
the ICMP packets (pings) so instead of two packets per second (one
coming in and a response going out) you just get the one coming in and
nothing at all until the next one comes in.
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
1 - 11.4
2 - 32 bit
3 - kde
4 - not sure, linux novice
5 - SUSE Paste
6 - simply an experiment running on a typical home network (192.168.1.x with 4 win7 workstations and this server)
7. nothing important on the server, no personal info just a server running a game for my kids. I use the server to learn linux on
8 - no problem, i’ll need instruction on how this is done.
So I’m blocking one of my machines internally 192.168.1.114 but after issueing the command I can still interact with the server, verified in the games log window with the correct IP address x.x.x.114. not sure why. I initially tried adding the address to the hosts.deny but that didn’t work either.
Thanks in advance
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all – anywhere anywhere
2 ACCEPT all – anywhere anywhere ctstate ESTABLISHED
3 ACCEPT icmp – anywhere anywhere ctstate RELATED
4 input_ext all – anywhere anywhere
5 input_ext all – anywhere anywhere
6 input_ext all – anywhere anywhere
7 LOG all – anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ’
8 DROP all – anywhere anywhere
9 DROP all – deleted by catfish but just another ip address here
10 DROP all – 192.168.1.114 anywhere
I’m testing by checking if the machine at 192.168.1.114 can log into the game being hosted on the server
OK, thanks everyone. I figured out why the iptables command wasn’t working. It appears that using the -A option isn’t the best choice as the rule gets Appended to the end of the INPUT table and therefore never gets serviced since prior rules take precedence. I changed the command to iptables -I INPUT 1 -s 192.168.1.114 -j DROP which Inserts the rule first and therefore gets precedence and indeed did the trick. Very cool.
so as a follow up, can I insert this in one of the firewall configs so the rule is persistent through firewall stop/starts?
i wanted to block a specific IP address from accessing a game server. This person was block by game permissions but they were continually trying so I was annoyed and wanted to prevent any “view” of my server. Now any attempts are dropped without any acknowledgement.
Yes, this is exactly how iptables works, but now I am a bit confused.
Your original example used the ‘-I’, not the ‘-A’. If you were
appending then next time you may want to include the command you’re
using exactly.
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
you’re absolutely correct, the command i listed on the initial post was entered wrong, the I should have been an A. I was appending and no inserting the entry as I should have. I happened to be on a Win7 machine at the time of entering the post and wasn’t pasting the actual command. Sorry for the discrepancy as that would definately have delayed anyone being able to assist me. I need to be more careful.