yonas abraham wrote:
hi,
I want to block a given IP from accessing my site, which is running
apache on a fully uptodated FC3 machine.
I taught I would just put the ip on /etc/hosts.deny and restart the
machine. But It is not working. I can block an access to sshd very
simply by adding the IP or sshd: IP and it works fine.
I wouldn't mind blocking every service to that IP in my machine but
preferably only httpd block.
thanks
yonas
I put this into a shell script to block the individual ports
permit() {
# I want to log just the start of the conversation
/sbin/iptables -A INPUT -s ${1} -p tcp --dport ${PORT} -j LOG \
--syn --log-level info --log-prefix "ssh permit: " \
--log-ip-options
/sbin/iptables -A INPUT -s ${1} -p tcp --dport ${PORT} -j ACCEPT
}
# Deny these sites access to my machine
deny() {
/sbin/iptables -A INPUT -s ${1} -p tcp --dport ${PORT} -j LOG \
--log-level alert --log-prefix "ssh deny: " --log-ip-options
/sbin/iptables -A INPUT -s ${1} -p tcp --dport ${PORT} -j DROP
}
then I'd do this:
permit 10.0.0.0/8 # Local stuff
permit 172.16.0.0/12 # Local stuff
permit 192.168.0.0/16 # Local stuff
deny 0.0.0.0/0 # Deny everyone else
You can change that to deny site a.b.c.d (where site a.b.c.d is
an IP address with no mask) like this:
deny a.b.c.d
If you do that make sure that you don't put deny 0.0.0.0/o first
order is important.
I'm pretty sure you will have questions. Ask them here so others
can learn also.
--
Linux Home Automation Neil Cherry ncherry@xxxxxxxxxxx
http://www.linuxha.com/ Main site
http://linuxha.blogspot.com/ My HA Blog
http://home.comcast.net/~ncherry/ Backup site
