Denying Access to Problem Sites Up Front


If some site is making a habit of scanning your machine or otherwise being a nuisance, you might decide to deny it access to everything, at least until the problem behavior is corrected.

One way to do this without editing the rc.firewall script each time is to include a separate file of specific drop rules. By inserting the rules into the INPUT chain rather than appending them, the site will be blocked even if subsequent rules would otherwise allow them access to some service. The file is named /etc/rc.d/rc.firewall.blocked. To avoid a possible runtime error, check for the file's existence before trying to include it:

 # Refuse packets claiming to be from the banned list if [ -f /etc/rc.d/rc.firewall.blocked ]; then      . /etc/rc.d/rc.firewall.blocked fi 

An example of a global drop rule in the rc.firewall.blocked file is this:

 $IPT -I INPUT -i $INTERNET -s <address/mask> -j DROP 

As an alternative to inserting the rules at the very beginning of the chains, which would precede state checking, the rules could be append rules, and the file could be included in the spoofed source address section of the ruleset.

Any packet from this source address range is dropped, regardless of message protocol type or source or destination port.




Linux Firewalls
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
ISBN: 1593271417
EAN: 2147483647
Year: 2005
Pages: 163
Authors: Michael Rash

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net