iptables - kako blokirati IP adresu?

Sve u vezi mreža i povezivanja na Internet

Moderator: Urednik

Post Reply

offline

Post Napisano: 13 Mar 2006, 09:48


Ovo pitanje ne znam vise gde nisam postavio...

Potrebno mi je da na serveru blokiram dinamicku IP adresu (recimo 157.58.33.2) tako da ne moze da ode na Internet!
Znam da se radi sa iptables, ali mi je potrebno da mi neko da mi napise celu komandu, jer nisam mogao da je provalim. Ako je moguce i objasnjenje iste.

Nemojte samo da mi kazete da pogledam man iptables

Hvala!



Prijatelj foruma
Prijatelj foruma
offline
User avatar

Posts: 189
Joined: 24 Feb 2006, 22:11
Location: Arandjelovac
Contact:

Post Napisano: 13 Mar 2006, 10:34


iptables -A OUTPUT -m owner --uid-owner 500

This packet match will match if the packet was created by the given User ID (UID). This could be used to match outgoing packets based on who created them. One possible use would be to block any other user than root from opening new connections outside your firewall. Another possible use could be to block everyone but the http user from sending packets from the HTTP port.

iptables -A OUTPUT -m owner --gid-owner 0

This match is used to match all packets based on their Group ID (GID). This means that we match all packets based on what group the user creating the packets is in. This could be used to block all but the users in the network group from getting out onto the Internet or, as described above, only to allow members of the http group to create packets going out from the HTTP port.



Prijatelj foruma
Prijatelj foruma
offline
User avatar

Posts: 189
Joined: 24 Feb 2006, 22:11
Location: Arandjelovac
Contact:

Post Napisano: 13 Mar 2006, 13:57


Jesi li pokusao nesto?

Mislim da ce ti ovo resiti sve muke:

http://www.fwbuilder.org/
Last edited by Dimitrije S. on 13 Mar 2006, 14:00, edited 1 time in total.



offline

Post Napisano: 14 Mar 2006, 09:46


Nisam nista pokusavao... Moram 100% da budem siguran da radi jer u suprotnom, ako ne mogu posle da je aktiviram, je*o sam jeza u ledja! ;)



Prijatelj foruma
Prijatelj foruma
offline
User avatar

Posts: 189
Joined: 24 Feb 2006, 22:11
Location: Arandjelovac
Contact:

Post Napisano: 14 Mar 2006, 10:00


Skini fwbuilder i pokusaj da ga instaliras, malo posla a moze sve da resi.

FWBuilder ovde
i
libFWBuilder ovde

Prvo ces morati da installiras libFWBuilder pa onda FWBuilder a sve ukupno nema ni 2 mb...
Last edited by Dimitrije S. on 14 Mar 2006, 10:01, edited 1 time in total.



offline

Post Napisano: 14 Mar 2006, 10:14


Sada cu da skinem ali cu prvo da se posavetujem sa onim likom, o kome sam ti pricao, da li zna preko iptables pa ako ne, onda ce ovo da radi definitivno!!!
Hvala jos jednom!



Prijatelj foruma
Prijatelj foruma
offline
User avatar

Posts: 189
Joined: 24 Feb 2006, 22:11
Location: Arandjelovac
Contact:

Post Napisano: 14 Mar 2006, 10:26


Nema problema  ;)
Kad god nešto zatreba ti javi, rado ćemo da pomognemo  ;D



offline

Post Napisano: 14 Mar 2006, 10:28


OK!
Poslacu odgovor kada mi lik kaze!



Prijatelj foruma
Prijatelj foruma
offline
User avatar

Posts: 189
Joined: 24 Feb 2006, 22:11
Location: Arandjelovac
Contact:

Post Napisano: 14 Mar 2006, 13:04


iptables -A OUTPUT -m owner --uid-owner 500 --reject-with icmp-host-unreachable

iptables - poziva iptables
-A - primenjuje na sve kompjutere u lancu
OUTPUT - odnosi se na izlazne komande/pakete
-m owner --uid-owner 500 - proverava da li su komande/paketi kreirani od strane odredjenog korisnika (u ovom slucaju tebe)
--reject-with icmp-host-unreachable - u tom slucaju odbija komande/pakete i vraca gresku korisniku koji je pokusao odredjenu akciju (icmp-host-unreachable je jedna od gresaka a moze se videti jos mogucnosti u man iptables).

Komanda se vraca u normalu brisanjem --reject-with icmp-host-unreachable i umesto nje ispisom allow!

Eto, to je neko moje objasnjenje komande koju sam sastavio iz man-a i tutorijala koje sam pronasao na internetu. Ne vidim zasto ne bi radila ali ako stvarno nemas mogucnost greske onda moras da pitas nekoga ko je to sigurno radio...



offline

Post Napisano: 15 Mar 2006, 08:39


iptables -A OUTPUT -m blokirana_adresa --uid blokirana_adresa 500 --reject with icmp-host-unreachable


Znaci, mesto owner sam stavljao adrese koje su blokirane (blokirana_adresa)
Sada sam probao ovo i sta kaze:

Couldn't load match `blokirana_adresa':/usr/lib/iptables/libipt_blokirana_adresa.so: cannot open shared object file: No such file or directory
Last edited by ferguson on 15 Mar 2006, 08:42, edited 1 time in total.


Post Reply

Who is online

Users browsing this forum: Alexa [Bot] and 2 guests