/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Julian Eduardo de Anquin <[EMAIL PROTECTED]> wrote:
>
> I want to block access to some ip adreses, so that my computers in the
> intranet cannot access them.
This requires some additional rules on your firewall. The chain that
controls access to the external network is the FORWARD chain. You
should add some rules that deny specific destinations. Such as:
ipchains -A FORWARD -d xxx.xxx.xxx.xxx -j REJECT
This adds a rule to the FORWARD chain, specifying that if a packet has a
destination IP address of xxx.xxx.xxx.xxx, then it should be rejected
(i.e. a message sent back to the box attempting the connection, telling
it that it will not work).
I find that Windows boxes usually do not believe the rejection message
they receive, and continue to retry the connection anyway, until they
time out. Too bad for them, I say. But if this bothers you, you can
use the "reject-with" option to specify an error code that they won't
ignore, such as:
ipchains -A FORWARD -d xxx.xxx.xxx.xxx -j REJECT \
--reject-with icmp-proto-unreachable
You will have to examine your firewall script and try to determine where
these rules should be inserted in your list. For instance, if your
script adds a final "accept all" rule to your FORWARD chain, then adding
some more rules like the above will not work. Some experimentation is
in your best interest. :)
You can build many sorts of rules, such as denying traffic on certain
ports, to prevent services being used.
Note that you can, technically, use hostnames instead of IP addresses in
your firewall script. For instance,
ipchains -A FORWARD -d www.yahoo.com -j REJECT
This will add a dozen rules, for all the different IP's that match
yahoo.com. However, if the list changes dynamically, your firewall will
only notice when you reload the rules. And it depends on DNS services
being available while the firewall is booting up, which is sometimes not
possible. So it is best to use IP's when you can.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
