[CentOS] Blocking an IP address both as source and destination
Stephen Harris
lists at spuddy.org
Mon Apr 25 16:18:08 UTC 2011
On Mon, Apr 25, 2011 at 06:03:29PM +0200, Alexander Farber wrote:
> Hello,
>
> how do you block incoming AND outgoing traffic to a site?
>
> I have 2 drop lines for a site in my /etc/sysconfig/iptables:
>
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [294:35064]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -s xx.xx.xx.0/24 -j DROP
> -A INPUT -d xx.xx.xx.0/24 -j DROP
> -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports
> 80,8080 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags
> FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT
> COMMIT
>
> but for some reason still can "ping xx.xx.xx.1" and
> "ssh xx.xx.xx.1" prints
> "ssh: connect to host xx.xx.xx.1 port 22: Connection refused"
> immediately, which probably means my packets aren't dropped at all.
To block outgoing traffic (traffic originating on this host destined
for another machone) you need to add rules to the OUTPUT filter.
--
rgds
Stephen
More information about the CentOS
mailing list