/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
My firewall is implemented using Iptables, can i Mix ipchains with iptables? tks a lot Julian <http://www.ayi-asociados.com> Julian de Anquin Consultor Sarmiento 71 - 2o Piso of. 8 x5000EYA - Cordoba - Argentina (54-0351) 4254394 4242545 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> www.ayi.asociados.com <http://www.ayi-asociados.com> -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nombre de Fuzzy Fox Enviado el: Viernes, 25 de Julio de 2003 10:41 p.m. Para: [EMAIL PROTECTED] Asunto: Re: [Masq] /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Julian Eduardo de Anquin <[EMAIL PROTECTED]> wrote: > > I want to block access to some ip adreses, so that my computers in the > intranet cannot access them. This requires some additional rules on your firewall. The chain that controls access to the external network is the FORWARD chain. You should add some rules that deny specific destinations. Such as: ipchains -A FORWARD -d xxx.xxx.xxx.xxx -j REJECT This adds a rule to the FORWARD chain, specifying that if a packet has a destination IP address of xxx.xxx.xxx.xxx, then it should be rejected (i.e. a message sent back to the box attempting the connection, telling it that it will not work). I find that Windows boxes usually do not believe the rejection message they receive, and continue to retry the connection anyway, until they time out. Too bad for them, I say. But if this bothers you, you can use the "reject-with" option to specify an error code that they won't ignore, such as: ipchains -A FORWARD -d xxx.xxx.xxx.xxx -j REJECT \ --reject-with icmp-proto-unreachable You will have to examine your firewall script and try to determine where these rules should be inserted in your list. For instance, if your script adds a final "accept all" rule to your FORWARD chain, then adding some more rules like the above will not work. Some experimentation is in your best interest. :) You can build many sorts of rules, such as denying traffic on certain ports, to prevent services being used. Note that you can, technically, use hostnames instead of IP addresses in your firewall script. For instance, ipchains -A FORWARD -d www.yahoo.com -j REJECT This will add a dozen rules, for all the different IP's that match yahoo.com. However, if the list changes dynamically, your firewall will only notice when you reload the rules. And it depends on DNS services being available while the firewall is booting up, which is sometimes not possible. So it is best to use IP's when you can. -- [EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience. sometimes known as David DeSimone || Experience comes from bad judgment." _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list. _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
