Skip to main content

IPCOP - How to block IP address's, ranges etc...

More
13 years 9 months ago #35957 by stevied81
root@PROXY3:/etc/rc.d # vi rc.local
SIOCADDRT: Filedd -net 10.1.0.0 netmask 255.255.252.0 gw 10.3.0.1
route add -net 10.4.0.0 netmask 255.255.252.0 gw 10.3.0.1
route add -net 10.5.0.0 netmask 255.255.252.0 gw 10.3.0.2
route add -net 10.10.0.0 netmask 255.255.255.0 gw 10.3.0.6
route add -net 10.14.0.0 netmask 255.255.255.0 gw 10.3.0.6
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"rc.local" 7L, 360C


then the grep rc.local results are:

root@PROXY3:/etc/rc.d # grep rc.local *
rc.local:"rc.local" 7L, 360C
rc.sysinit:echo "Running rc.local"
rc.sysinit:/etc/rc.d/rc.local
root@PROXY3:/etc/rc.d #
More
13 years 9 months ago #35958 by DaLight
Add the following to start of file:
[code:1]#!/bin/sh
#variables defined therein
. /var/ipcop/ethernet/settings[/code:1]
and the rest to the end of the file:
[code:1]
# Flush Custom Input Rules
/sbin/iptables -F CUSTOMFORWARD

# shorthand helper
IPT="/sbin/iptables"

#allow full access for specific IPs
$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 10.14.0.0/24 -o $RED_DEV -j ACCEPT [/code:1]
More
13 years 9 months ago #35960 by stevied81
okay thanks. Did that. Now when I do #iptables -L i get the following response:

root@PROXY3:/etc/rc.d # ./rc.local
./rc.local: line 4: SIOCADDRT:: command not found
SIOCADDRT: File exists
SIOCADDRT: File exists
SIOCADDRT: File exists
SIOCADDRT: File exists
./rc.local: line 17: /root: is a directory
./rc.local: line 18: /root: is a directory
./rc.local: line 19: /root: is a directory
./rc.local: line 20: /root: is a directory
./rc.local: line 21: /root: is a directory
./rc.local: line 22: /root: is a directory
./rc.local: line 23: /root: is a directory
./rc.local: line 24: /root: is a directory
./rc.local: line 25: /root: is a directory
./rc.local: line 26: /root: is a directory
./rc.local: line 27: /root: is a directory
./rc.local: line 28: /root: is a directory
./rc.local: line 29: /root: is a directory
./rc.local: line 30: /root: is a directory
./rc.local: line 31: /root: is a directory
./rc.local: line 32: rc.local: command not found
./rc.local: line 33: exists: command not found
SIOCADDRT: File exists
SIOCADDRT: File exists
SIOCADDRT: File exists
SIOCADDRT: File exists
SIOCADDRT: File exists
SIOCADDRT: File exists
root@PROXY3:/etc/rc.d # cd
root@PROXY3:~ # iptables -L
Chain CUSTOMFORWARD (1 references)
target prot opt source destination
ACCEPT all -- 10.14.0.0/24 anywhere

Chain CUSTOMINPUT (1 references)
target prot opt source destination

Chain CUSTOMOUTPUT (1 references)
target prot opt source destination

Chain DHCPBLUEINPUT (1 references)
target prot opt source destination

Chain DMZHOLES (0 references)
target prot opt source destination

Chain GUIINPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request

Chain INPUT (policy DROP)
target prot opt source destination
ipac~o all -- anywhere anywhere
NEW_local_chk all -- anywhere anywhere
CUSTOMINPUT all -- anywhere anywhere
GUIINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
IPSECVIRTUAL all -- anywhere anywhere
OPENSSLVIRTUAL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT !icmp -- anywhere anywhere state NEW
DHCPBLUEINPUT all -- anywhere anywhere
IPSECPHYSICAL all -- anywhere anywhere
OPENSSLPHYSICAL all -- anywhere anywhere
WIRELESSINPUT all -- anywhere anywhere state NEW
REDINPUT all -- anywhere anywhere
XTACCESS all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `INPUT '

Chain FORWARD (policy DROP)
target prot opt source destination
ipac~fi all -- anywhere anywhere
ipac~fo all -- anywhere anywhere
ACCEPT all -- 10.0.0.0/22 10.1.0.0/22
ACCEPT all -- 10.1.0.0/22 10.0.0.0/22
ACCEPT all -- 10.0.0.0/22 10.2.0.0/22
ACCEPT all -- 10.2.0.0/22 10.0.0.0/22
ACCEPT all -- 10.0.0.0/22 10.3.0.0/22
ACCEPT all -- 10.3.0.0/22 10.0.0.0/22
ACCEPT all -- 10.0.0.0/22 10.4.0.0/22
ACCEPT all -- 10.4.0.0/22 10.0.0.0/22
ACCEPT all -- 10.0.0.0/22 10.5.0.0/22
ACCEPT all -- 10.5.0.0/22 10.0.0.0/22
ACCEPT all -- 10.0.0.0/22 10.15.0.0/22
ACCEPT all -- 10.15.0.0/22 10.0.0.0/22
ACCEPT all -- 10.0.0.0/22 10.10.0.0/24
ACCEPT all -- 10.10.0.0/24 10.0.0.0/22
ACCEPT all -- 10.10.0.0/24 10.2.0.0/22
ACCEPT all -- 10.2.0.0/22 10.10.0.0/22
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
CUSTOMFORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
IPSECVIRTUAL all -- anywhere anywhere
OPENSSLVIRTUAL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT all -- anywhere anywhere state NEW
WIRELESSFORWARD all -- anywhere anywhere state NEW
REDFORWARD all -- anywhere anywhere
PORTFWACCESS all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `OUTPUT '

Chain IPSECPHYSICAL (1 references)
target prot opt source destination

Chain IPSECVIRTUAL (2 references)
target prot opt source destination

Chain LOG_DROP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
DROP all -- anywhere anywhere

Chain LOG_REJECT (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain NEW_local_chk (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 10.0.0.0/22 anywhere
ACCEPT all -- 10.1.0.0/22 anywhere
ACCEPT all -- 10.2.0.0/22 anywhere
ACCEPT all -- 10.3.0.0/22 anywhere
ACCEPT all -- 10.4.0.0/22 anywhere
ACCEPT all -- 10.5.0.0/22 anywhere
ACCEPT all -- 10.10.0.0/24 anywhere
ACCEPT all -- 10.15.0.0/22 anywhere

Chain OPENSSLPHYSICAL (1 references)
target prot opt source destination

Chain OPENSSLVIRTUAL (2 references)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ipac~i all -- anywhere anywhere
CUSTOMOUTPUT all -- anywhere anywhere

Chain PORTFWACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.0.1.80 tcp dpt:acr-nema
ACCEPT tcp -- anywhere 10.0.1.18 tcp dpt:scol
ACCEPT tcp -- anywhere 10.2.0.4 tcp dpt:pcanywheredata
ACCEPT tcp -- anywhere 10.0.1.18 tcp dpt:https
ACCEPT tcp -- anywhere 10.0.1.12 tcp dpt:re-mail-ck
ACCEPT tcp -- anywhere 10.0.1.12 tcp dpt:isakmp
ACCEPT tcp -- anywhere 10.0.1.12 tcp dpt:la-maint
ACCEPT tcp -- anywhere 10.0.1.59 tcp dpt:pcanywheredata
ACCEPT tcp -- anywhere 10.0.1.80 tcp dpt:5635
ACCEPT tcp -- anywhere 10.0.1.58 tcp dpt:pcanywheredata
ACCEPT tcp -- anywhere 10.0.0.7 tcp dpt:vnc-server
ACCEPT tcp -- anywhere 10.0.1.80 tcp dpt:5905
ACCEPT tcp -- anywhere 10.0.1.65 tcp dpt:vnc-server
ACCEPT tcp -- anywhere 10.0.1.11 tcp dpt:vnc-server
ACCEPT tcp -- anywhere 10.0.1.120 tcp dpt:vnc-server
ACCEPT tcp -- anywhere 10.0.1.18 tcp dpt:http
ACCEPT tcp -- anywhere 10.0.1.80 tcp dpt:mfcobol
ACCEPT tcp -- anywhere 10.0.1.11 tcp dpt:http
ACCEPT tcp -- anywhere 10.0.1.120 tcp dpt:http
ACCEPT tcp -- anywhere 10.0.0.4 tcp dpt:pptp
ACCEPT gre -- anywhere 10.0.0.4
ACCEPT tcp -- anywhere 10.0.1.11 tcp dpt:http
ACCEPT tcp -- anywhere 10.0.1.18 tcp dpt:vnc-server
ACCEPT tcp -- anywhere 10.0.1.58 tcp dpt:vnc-server
ACCEPT tcp -- anywhere 10.0.1.11 tcp dpt:acr-nema
ACCEPT tcp -- anywhere 10.3.0.11 tcp dpt:acr-nema

Chain REDFORWARD (1 references)
target prot opt source destination

Chain REDINPUT (1 references)
target prot opt source destination

Chain WIRELESSFORWARD (1 references)
target prot opt source destination

Chain WIRELESSINPUT (1 references)
target prot opt source destination

Chain XTACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.3.0.8 tcp dpt:ident
ACCEPT tcp -- anywhere 10.3.0.8 tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere 10.3.0.8 tcp dpt:rsh-spx

Chain ipac~fi (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere

Chain ipac~fo (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere

Chain ipac~i (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere

Chain ipac~o (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
More
13 years 9 months ago #35961 by DaLight
From the "iptables -L" output the access has been granted for the new subnet as required. The error messages are to do with the other routing commands in the file which where added manually or by an addon. Check to see that the PCs on the subnet has access as required.
More
13 years 9 months ago #35962 by stevied81
okay thanks. think we getting close to the problem. we have two ipcop boxes. one for wireless and one for adsl. on the other ipcop box that we have not yet edited anything on. this is what i get when i try and edit the rc.local file



root@firewall:/etc/rc.d # vi rc.local
#!/bin/sh


# COPFILTER START - do not modify
# start local programs
echo "starting p3scan ..."
env /var/log/copfilter/default/opt/p3scan/etc/init.d/copfilter_p3scan config
echo "starting avgscan (if installed) ..."
env /var/log/copfilter/default/opt/avg/etc/init.d/copfilter_avgscan config
echo "starting fprotd (if installed) ..."
env /var/log/copfilter/default/opt/f-prot/etc/init.d/copfilter_f-protd config
echo "starting clamd ..."
env /var/log/copfilter/default/opt/clamav/etc/init.d/copfilter_clamd config
echo "starting spamd ..."
env /var/log/copfilter/default/opt/mail-spamassassin/etc/init.d/copfilter_spamd config
echo "starting havp ..."
env /var/log/copfilter/default/opt/havp/etc/init.d/copfilter_havp config
echo "starting frox ..."
env /var/log/copfilter/default/opt/frox/etc/init.d/copfilter_frox config
echo "starting privoxy ..."
env /var/log/copfilter/default/opt/privoxy/etc/init.d/copfilter_privoxy config
echo "starting proxsmtpd ..."
"rc.local" 37L, 1761C
More
13 years 9 months ago #35963 by DaLight
Right, that tells me you've got the Copfilter addon on that ipcop box, but you still didn't answer my question about whether PCs on the newly added subnet now had access as a result of the rc.local changes.
Time to create page: 0.145 seconds