Skip to main content

IPCOP - How to block IP address's, ranges etc...

More
18 years 8 months ago #9571 by MudVayne
IPCOP - How to block IP address's, ranges etc... was created by MudVayne
I recently moved from a Coyote Linux firewall to an IPCOP 1.4.6 with no addons firewall and I have a question.

In Coyote, under the Advanced Firewall area, there was a way to block certain IP addresses from connecting to my network. I am not looking to block out going stuff, which Coyote allows as well. I am particularly looking to block Internet IP addresses (like problem Clients that connect to a webpage or game server that I occasionally run) If I could block entire IP ranges, that would be nice as well. In searching through the posts here, it appears as though I may have to do something with an IPTABLE?? I think? I don't see anywhere in the IPCOP admin pages that allow you to do this, or I am just totally missing it. If someone could give me a starting place, I would greatly appreciate it. I do know how to connect to the IPCOP machine via Putty or WinSCP3 (at least I think I can remember) so if someone can give me a push from there if I have to do something via the IPTABLE route, that would be great.

Thanks
-M
More
18 years 8 months ago #9581 by DaLight
Replied by DaLight on topic Re: IPCOP - How to block IP address's, ranges etc...
nnbnbYou are right MudVayne. It is not possible to change the firewall rules in IPCOP from the admin page. You will have to drop down to the Command Line to do this. Check out this post ( firewall.cx/ftopicp-9519.html#9519 ) for details of which files to change and also an example config file.

In order to block TCP packets from the IP range 192.168.111.13 to 192.168.111.19, you will have to add a command of this form to the example config file:

[code:1]
$IPT -A CUSTOMINPUT -i $RED_DEV -p tcp -m iprange --src-range 192.168.111.13-192.168.111.19 -j DROP
[/code:1]

Note that the above code uses some variables which have been predefined in the example config file in the linked post.
More
18 years 8 months ago #9588 by MudVayne
Replied by MudVayne on topic Re: IPCOP - How to block IP address's, ranges etc...
Thanks for the reply.

I tried what you suggested but I can't get it to seem to do anything.

Here is a copy of the file I uploaded. Mod is 0755 same as original.


[code:1]
#!/bin/sh
#variables defined therein
. /var/ipcop/ethernet/settings

# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD

# shorthand helper
$IPT="/sbin/iptables"

# echo-reply
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 0 -j DROP
# echo-request
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 8 -j DROP

# Now accept the three(3) good ones
# destination-unreachable
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 3 -j ACCEPT
# redirect
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 5 -j ACCEPT
# time exceeded
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 11 -j ACCEPT

# Drop all other ICMP type data
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp -j DROP

# drop any tcp/udp packets to ports 135 - 137
$IPT -A CUSTOMINPUT -i $RED_DEV -p tcp --dport 135:137 -j DROP
$IPT -A CUSTOMINPUT -i $RED_DEV -p udp --dport 135:137 -j DROP


#restrict outgoing access

#allow full access for specific IPs
#PC1 - 192.168.111.1
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.1 -o $RED_DEV -j ACCEPT
#PC2 - 192.168.111.2
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.2 -o $RED_DEV -j ACCEPT

#allow limited access for specific IPs - in this case 192.168.111.3 tcp ports 20,21
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.3 -o $RED_DEV -p tcp --dport 21 -j ACCEPT
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.3 -o $RED_DEV -p tcp --dport 20 -j ACCEPT

#bar access for Internal IPs
$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.20 -o $RED_DEV -j DROP

#bar access from Internet IP Range

$IPT -A CUSTOMINPUT -i $RED_DEV -p tcp -m iprange --src-range 12.111.51.193-12.111.51.206 -j DROP
[/code:1]

I then opened putty and executed the file with:

root@ipcop:~ # . /etc/rc.d/rc.local

It seemed to work okay as far as executing but then when I try to go to the Internet from the machine at the 192.168.0.20 IP I could access webpages and surf at will.

I tried to then connect to my home IP Network from one of the 12.111.51.193-206 IP's and I was able to connect fine as well. Do I have to restart the IPCOP everytime I make a change or can I just rerun the rc.local file? What am I doing wrong?
Where can I find a good "how to" for IPCop iptable editing?
-M
More
18 years 8 months ago #9594 by DaLight
Replied by DaLight on topic Re: IPCOP - How to block IP address's, ranges etc...
Sorry, MudVayne I used the wrong chain. Instead of:
[code:1]
$IPT -A CUSTOMINPUT -i $RED_DEV -p tcp -m iprange --src-range 12.111.51.193-12.111.51.206 -j DROP
[/code:1]

the blocking command should be:
[code:1]
$IPT -A CUSTOMFORWARD -i $RED_DEV -p tcp -m iprange --src-range 12.111.51.193-12.111.51.206 -j DROP
[/code:1]

You will notice I replaced CUSTOMINPUT with CUSTOMFORWARD. The CUSTOMINPUT chain (which is added to the INPUT chain) deals with connections that are intended to terminate at the IPCOP i.e. SSH, Web admin. The CUSTOMFORWARD chain (which is added to the FORWARD chain) on the other hand deals with connections that are to be forwarded to other hosts, as in the case of port forwards to hosts behind your IPCOP.


As for this:

... when I try to go to the Internet from the machine at the 192.168.0.20 IP I could access webpages and surf at will.


If the Squid Proxy is enabled, web access will still be possible. You will need to make sure that the proxy is either turned off or you can set the appropriate access rules in /var/ipcop/proxy/acl. I can provide help with this if required.
More
18 years 8 months ago #9596 by Chris
Replied by Chris on topic Re: IPCOP - How to block IP address's, ranges etc...
Since we are talking about firewall rules (iptables), does anyone know if iptables supports time extension rules? eg. make a iptable rule valid for a specific amount of time ??
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
18 years 8 months ago #9598 by nske
Replied by nske on topic Re: IPCOP - How to block IP address's, ranges etc...
You mean something like this?

time patch
This patch by Fabrice MARIE <fabrice@netfilter.org> adds a new match that allows you to match a packet based on its arrival or departure (for locally generated packets) timestamp.

for example, to accept packets that have an arrival time from 8:00H to 18:00H from Monday to Friday you can do as follows :


# iptables -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere TIME from 8:0 to 18:0 on Mon,Tue,Wed,Thu,Fri


Supported options for the time match are :


--timestart value
-> minimum HH:MM

--timestop value
-> maximum HH:MM

--days listofdays
-> a list of days to apply, from (case sensitive)

Mon
Tue
Wed
Thu
Fri
Sat
Sun


It is an extra patch available with the patch-o-matic (never tried it). It could also be possible to use some script-wrapper to add/remove rules based on time instead, but the builtin patch should be more efficient.
Time to create page: 0.154 seconds