allowing only packets from a certain ip address

HI all,

What is the script to allow only packets arriving from a certain ip, namely
the a machine acting as a proxy, on the inside address of the firewall.
Currently the firewall is accepting packets from all addreses. THis causes
some people in our small office to bypass the proxy and thereby not have
their internet access logged and checked.

Thanks
Robert

rb wrote:

>
> What is the script to allow only packets arriving from a certain ip,
> namely the a machine acting as a proxy, on the inside address of the
> firewall. Currently the firewall is accepting packets from all addreses.
> THis causes some people in our small office to bypass the proxy and
> thereby not have their internet access logged and checked.
>

You tell us. We're not psychic....unless you're looking for quotes for
someone to sort all this out for you....but you'll still need to supply a
lot more info.

C.

hi,

I am using redhat with iptables. I am new at linux. I already have a
firewall script up. I am looking fo help on perhaps a single line in my
script that will block access from a certain ip address
$IPTABLES -A INPUT -s 192.168.1.117 -j DROP
does not work, probably because I don't know whatI am doing

I did not mean to be son intrusive and make you upset. If I am not welcome
here let me know and I will ry and find help somewhere else.

Robert

"Colin McKinnon" <colin.deletethis@andthis.mms3.com> wrote in message
news:d2jjt6$4cb$2$830fa79f@news.demon.co.uk...
> rb wrote:
>
> >
> > What is the script to allow only packets arriving from a certain ip,
> > namely the a machine acting as a proxy, on the inside address of the
> > firewall. Currently the firewall is accepting packets from all addreses.
> > THis causes some people in our small office to bypass the proxy and
> > thereby not have their internet access logged and checked.
> >
>
> You tell us. We're not psychic....unless you're looking for quotes for
> someone to sort all this out for you....but you'll still need to supply a
> lot more info.
>
> C.

On Fri, 01 Apr 2005 17:56:14 +0200, rb wrote:

> "Colin McKinnon" <colin.deletethis@andthis.mms3.com> wrote in message
> news:d2jjt6$4cb$2$830fa79f@news.demon.co.uk...
>> rb wrote:
>>
>>
>> > What is the script to allow only packets arriving from a certain ip,
>> > namely the a machine acting as a proxy, on the inside address of the
>> > firewall. Currently the firewall is accepting packets from all
>> > addreses. THis causes some people in our small office to bypass the
>> > proxy and thereby not have their internet access logged and checked.
>> >
>> >
>> You tell us. We're not psychic....unless you're looking for quotes for
>> someone to sort all this out for you....but you'll still need to supply
>> a lot more info.
>>
>> C.

> hi,
>
> I am using redhat with iptables. I am new at linux. I already have a
> firewall script up. I am looking fo help on perhaps a single line in my
> script that will block access from a certain ip address $IPTABLES -A
> INPUT -s 192.168.1.117 -j DROP does not work, probably because I don't
> know whatI am doing
>
> I did not mean to be son intrusive and make you upset. If I am not
> welcome here let me know and I will ry and find help somewhere else.
>
> Robert
>
>
I'm not sure if anyone could give you a good technical answer based on
what you asked. Before you become offended you should bear in mind that
it is not unheard of to post an intentionally "bad question" just to trip
up someone who might try to answer. I'm not saying you did, just
mentioning the possibility.

There are possibly many ways to accomplish what you want to do, most of
which possibly are not applicable to your particular circumstances. There
are also different types of approaches.

The iptables line you showed will not work to block traffic from outside
addresses because all the packets will have the originating IP addresses,
and those data are what your rule will be looking at. Therefore the
traffic will bypass that rule. You might want or need to modify your
network routing rules or topography depending on your situation, but it's
impossible to say from what you wrote. Network questions probably belong
in a different group. The possibilities are endless, and mostly would not
apply to you or be any help at all. It's useless to speculate.

I think you might get answers that make you feel more welcome if the
questions you ask were not inherently impossible to answer, and therefor
frustrating to those who would and could help. If you read through a few
weeks messages you may begin to appreciate how often this issue of "bad
questions" arises. And you will find specific pointers to suggestions
that will let you ask better questions, receive good answers and feel more
welcome.

As an additional suggestion, I think you may find that you will begin to
feel more welcome if you don't top-post.

Best wishes.

HI,

First of, what is top post.
Second, as I am new to linux, it seems difficult to ask the right question
seeing that I cant even formulate the right question myself. That is why I
seek the help of those who are inj the know.
Third, My little understanding of linux led me to believe that it was quick
answer to my problem. Currently my network topography want support methods
to isolate and do seperat, it will soon in the future. But at the moment
finance is preventing me to impliment another solution.
I had though that if one could, through linux block a outside address from
entering the network, one could block an inside/local lan addred from
accessing the internet outside, or am I mistaken.

I understand the possiblity of bad questions, I am a database programmer, I
know bad questions, but I wonder if the thought crossed your minds that I am
in the dark and require help and guidence. I am nt trying to trip anyone up.
I just want to get the job done.

Thanks
Robert

"Newsbox" <nospam_for_me_please@thanks.invalid> wrote in message
news:xo6dnSV67PVTCNDfRVn-iQ@acadia.net...
> On Fri, 01 Apr 2005 17:56:14 +0200, rb wrote:
>
> > "Colin McKinnon" <colin.deletethis@andthis.mms3.com> wrote in message
> > news:d2jjt6$4cb$2$830fa79f@news.demon.co.uk...
> >> rb wrote:
> >>
> >>
> >> > What is the script to allow only packets arriving from a certain ip,
> >> > namely the a machine acting as a proxy, on the inside address of the
> >> > firewall. Currently the firewall is accepting packets from all
> >> > addreses. THis causes some people in our small office to bypass the
> >> > proxy and thereby not have their internet access logged and checked.
> >> >
> >> >
> >> You tell us. We're not psychic....unless you're looking for quotes for
> >> someone to sort all this out for you....but you'll still need to supply
> >> a lot more info.
> >>
> >> C.
>
> > hi,
> >
> > I am using redhat with iptables. I am new at linux. I already have a
> > firewall script up. I am looking fo help on perhaps a single line in my
> > script that will block access from a certain ip address $IPTABLES -A
> > INPUT -s 192.168.1.117 -j DROP does not work, probably because I don't
> > know whatI am doing
> >
> > I did not mean to be son intrusive and make you upset. If I am not
> > welcome here let me know and I will ry and find help somewhere else.
> >
> > Robert
> >
> >
> I'm not sure if anyone could give you a good technical answer based on
> what you asked. Before you become offended you should bear in mind that
> it is not unheard of to post an intentionally "bad question" just to trip
> up someone who might try to answer. I'm not saying you did, just
> mentioning the possibility.
>
> There are possibly many ways to accomplish what you want to do, most of
> which possibly are not applicable to your particular circumstances. There
> are also different types of approaches.
>
> The iptables line you showed will not work to block traffic from outside
> addresses because all the packets will have the originating IP addresses,
> and those data are what your rule will be looking at. Therefore the
> traffic will bypass that rule. You might want or need to modify your
> network routing rules or topography depending on your situation, but it's
> impossible to say from what you wrote. Network questions probably belong
> in a different group. The possibilities are endless, and mostly would not
> apply to you or be any help at all. It's useless to speculate.
>
> I think you might get answers that make you feel more welcome if the
> questions you ask were not inherently impossible to answer, and therefor
> frustrating to those who would and could help. If you read through a few
> weeks messages you may begin to appreciate how often this issue of "bad
> questions" arises. And you will find specific pointers to suggestions
> that will let you ask better questions, receive good answers and feel more
> welcome.
>
> As an additional suggestion, I think you may find that you will begin to
> feel more welcome if you don't top-post.
>
> Best wishes.

On Fri, 01 Apr 2005 13:41:18 -0500, Newsbox wrote:

> On Fri, 01 Apr 2005 17:56:14 +0200, rb wrote:
>
>> "Colin McKinnon" <colin.deletethis@andthis.mms3.com> wrote in message
>> news:d2jjt6$4cb$2$830fa79f@news.demon.co.uk...
>>> rb wrote:
>>>
>>>
>>> > What is the script to allow only packets arriving from a certain ip,
>>> > namely the a machine acting as a proxy, on the inside address of the
>>> > firewall. Currently the firewall is accepting packets from all
>>> > addreses. THis causes some people in our small office to bypass the
>>> > proxy and thereby not have their internet access logged and checked.
>>> >
>>> >
>>> You tell us. We're not psychic....unless you're looking for quotes for
>>> someone to sort all this out for you....but you'll still need to supply
>>> a lot more info.
>>>
>>> C.
>
>> hi,
>>
>> I am using redhat with iptables. I am new at linux. I already have a
>> firewall script up. I am looking fo help on perhaps a single line in my
>> script that will block access from a certain ip address $IPTABLES -A
>> INPUT -s 192.168.1.117 -j DROP does not work, probably because I don't
>> know whatI am doing
>>
>> I did not mean to be son intrusive and make you upset. If I am not
>> welcome here let me know and I will ry and find help somewhere else.
>>
>> Robert
>>
>>
[...]
Some guesses about your iptables issues (none may be relevant to your
situation.) :(

$IPTABLES -A INPUT -s 192.168.1.117 -j DROP

^

it looks as if you might be doing this from a normal user prompt instead
of as root, which will not work, though that should give an error message.

$IPTABLES -A INPUT -s 192.168.1.117 -j DROP

^

If you are "appending" the rule there is always the possibility that a
previously processed rule may accept the packet.

$IPTABLES -A INPUT -s 192.168.1.117 -j DROP

^^^^^

INPUT -on which interface? Presumably you have at least two. I am no
guru so these rules are difficult enough for me to follow without my
trying to make it easy for me to re-read and understand later. All the
rules that I write have an "-i" specification in them (ie. " -i eth0")
One box's OUTPUT is another box's INPUT. YIKES!!

If this option is omitted, any interface name will match.

If this is your LAN interface, the rule (see above) could (emphasis
_could_) or might be effective in blocking traffic from that particular
machine, which would normally stop communication. It will not block
traffic to that machine, no matter which interface it is on.

The other unknown is where this machine and firewall lies in your network.

Another unknown that would generally be relevant in talking about a rule
is the default policy, might not be important for this rule.

Check the IP address is correct, or use a block specification for the
whole LAN such as 192.168.0.0/16, if that is your whole LAN.

If the rule still doesn't work and you're sure it's on the right machine
and interface, look for an earlier rule in that (INPUT) chain or table
that preempts this rule.

If none of that helps you out, you can't say I didn't try. Good luck.

<I suppose it wouldn't work just to ask the people in your small office to
use the proxy? Nah, you're right.>

rb sez:
> hi,
>
> I am using redhat with iptables. I am new at linux. I already have a
> firewall script up. I am looking fo help on perhaps a single line in my
> script that will block access from a certain ip address
> $IPTABLES -A INPUT -s 192.168.1.117 -j DROP
> does not work, probably because I don't know whatI am doing

What do you mean "does not work"? iptables -A INPUT -s 1.2.3.4 -j DROP
works for me. There are several possible problems with your command,
including (but not limited to):

1. $IPTABLES variable is not set (run "echo $IPTABLES).
2. You are trying to filter on Internet-connected interface.
You'll [should] never see packets from 192.168.* on your external
NI because they are reserved addresses.
3. You forgot to run iptables-save > /etc/sysconfig/iptables and
rebooted the machine.

> I did not mean to be son intrusive and make you upset. If I am not welcome
> here let me know and I will ry and find help somewhere else.

Your original question was very poorly phrased. It wasn't even say
if you were aware of existence of iptables, ipchains, etc.

>> > THis causes some people in our small office to bypass the proxy and
>> > thereby not have their internet access logged and checked.

This, plus mentioning of 192.168. addresses sounds like you are also
doing NAT. My guess would be, make sure you're filtering on the internal
NI and/or in the right table (before NAT overwrites 192.168.* addresses).
Of course, I may be wrong since there's still not enough information in
your post.

Either way, you'll have to read the fine Rusty's guides until you
understand what you're doing.

Dima
--
Riding roughshod over some little used trifle like the English language is not a
big deal to an important technology innovator like Microsoft. They did just that
by naming a major project dot-Net (".Net"). Before that, a period followed by a
capital letter was used to mark a sentence boundary. --T. Gottfried, RISKS 21.91

On 2005-04-01, Robert Bravery <robert@db2k.co.za> wrote:
>
> First of, what is top post.

As a database programmer, you should know that to find answers, you
should look in the right place:

http://www.google.com/search?q=what+is+top+post

--keith

--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom
see X- headers for PGP signature information

On Fri, 01 Apr 2005 22:32:58 +0200, Robert Bravery wrote:

> HI,
>
> First of, what is top post.

[...]

I was writing another, hopefully helpful message when I checked and saw
that you have already received some good responses for your most pressing
questions, from people who are perhaps more insightful than I am. I hope
they have helped to answer your questions.

If you still have additional questions or issues, I am sure you are free
and welcome to post again. I will try to help if I can, however, most of
these people know more than I do in these areas and can really be of more
specific help to you than I can. But I will certainly try to help get
you up that steep learning curve, if I can.

Best wishes.

HI All,


"Newsbox" <nospam_for_me_please@thanks.invalid> wrote in message
news:yv-dnSBaA7mcL9DfRVn-iQ@acadia.net...
> On Fri, 01 Apr 2005 13:41:18 -0500, Newsbox wrote:
>
> > On Fri, 01 Apr 2005 17:56:14 +0200, rb wrote:
> >
> >> "Colin McKinnon" <colin.deletethis@andthis.mms3.com> wrote in message
> >> news:d2jjt6$4cb$2$830fa79f@news.demon.co.uk...
> >>> rb wrote:
> >>>
> >>>
> >>> > What is the script to allow only packets arriving from a certain ip,
> >>> > namely the a machine acting as a proxy, on the inside address of the
> >>> > firewall. Currently the firewall is accepting packets from all
> >>> > addreses. THis causes some people in our small office to bypass the
> >>> > proxy and thereby not have their internet access logged and checked.
> >>> >
> >>> >
> >>> You tell us. We're not psychic....unless you're looking for quotes for
> >>> someone to sort all this out for you....but you'll still need to
supply
> >>> a lot more info.
> >>>
> >>> C.
> >
> >> hi,
> >>
> >> I am using redhat with iptables. I am new at linux. I already have a
> >> firewall script up. I am looking fo help on perhaps a single line in my
> >> script that will block access from a certain ip address $IPTABLES -A
> >> INPUT -s 192.168.1.117 -j DROP does not work, probably because I don't
> >> know whatI am doing
> >>
> >> I did not mean to be son intrusive and make you upset. If I am not
> >> welcome here let me know and I will ry and find help somewhere else.
> >>
> >> Robert
> >>
> >>
> [...]
> Some guesses about your iptables issues (none may be relevant to your
> situation.) :(
>
> $IPTABLES -A INPUT -s 192.168.1.117 -j DROP
>
> ^
>
> it looks as if you might be doing this from a normal user prompt instead
> of as root, which will not work, though that should give an error message.
>
> $IPTABLES -A INPUT -s 192.168.1.117 -j DROP

I am logged in as root when trying to alter and run my existing script,
including adding the above mentioned rule

> If you are "appending" the rule there is always the possibility that a
> previously processed rule may accept the packet.
>
> $IPTABLES -A INPUT -s 192.168.1.117 -j DROP

This might be entirely possible, as I added the rule at the end of the
firewall script. My knowledge is not tha great that I might figure out where
to put the rule. I have read a few iptables HOWTO's but they, altho being
very good and helpfull, did not cover my particular situation.

> INPUT -on which interface? Presumably you have at least two. I am no
> guru so these rules are difficult enough for me to follow without my
> trying to make it easy for me to re-read and understand later. All the
> rules that I write have an "-i" specification in them (ie. " -i eth0")
> One box's OUTPUT is another box's INPUT. YIKES!!
>
> If this option is omitted, any interface name will match.

I did try other interfaces without success. eth0 is the outside/internet
interface, eth1 is the inside/lan interface.
I tried:
$IPTABLES -A INPUT -i eth0 -s 192.168.1.117 -j DROP
and $IPTABLES -A INPUT -i eth1 -s 192.168.1.117 -j DROP
with no luck. So presumaby I am missing something here




> If this is your LAN interface, the rule (see above) could (emphasis
> _could_) or might be effective in blocking traffic from that particular
> machine, which would normally stop communication. It will not block
> traffic to that machine, no matter which interface it is on.
>
> The other unknown is where this machine and firewall lies in your network.

The firewall lies between the internet router and the proxy server

> Another unknown that would generally be relevant in talking about a rule
> is the default policy, might not be important for this rule.
>
> Check the IP address is correct, or use a block specification for the
> whole LAN such as 192.168.0.0/16, if that is your whole LAN.

Yes have done that

> If the rule still doesn't work and you're sure it's on the right machine
> and interface, look for an earlier rule in that (INPUT) chain or table
> that preempts this rule.

Possible. I think there is a rule that might be.
I first dissalow everything inside and out, then I allow a statefuull rule
allowing all on the inside lan to go through.
After this at the end of the script I tried to drop this particular
inside/;ad ip address.
I am unclear as to where I should put this rule. Should it go before I
statefull accept on the inside or after.
Which rule would the take precedence.

> If none of that helps you out, you can't say I didn't try. Good luck.
>
> <I suppose it wouldn't work just to ask the people in your small office to
> use the proxy? Nah, you're right.>

Thanks for you efforts.

Robert