deny http access based on IP on FC3
Neil Cherry
ncherry at comcast.net
Mon Jan 23 17:09:37 UTC 2006
yonas abraham wrote:
> hi,
>
> I want to block a given IP from accessing my site, which is running
> apache on a fully uptodated FC3 machine.
>
> I taught I would just put the ip on /etc/hosts.deny and restart the
> machine. But It is not working. I can block an access to sshd very
> simply by adding the IP or sshd: IP and it works fine.
>
> I wouldn't mind blocking every service to that IP in my machine but
> preferably only httpd block.
>
> thanks
>
> yonas
>
I put this into a shell script to block the individual ports
permit() {
# I want to log just the start of the conversation
/sbin/iptables -A INPUT -s ${1} -p tcp --dport ${PORT} -j LOG \
--syn --log-level info --log-prefix "ssh permit: " \
--log-ip-options
/sbin/iptables -A INPUT -s ${1} -p tcp --dport ${PORT} -j ACCEPT
}
# Deny these sites access to my machine
deny() {
/sbin/iptables -A INPUT -s ${1} -p tcp --dport ${PORT} -j LOG \
--log-level alert --log-prefix "ssh deny: " --log-ip-options
/sbin/iptables -A INPUT -s ${1} -p tcp --dport ${PORT} -j DROP
}
then I'd do this:
permit 10.0.0.0/8 # Local stuff
permit 172.16.0.0/12 # Local stuff
permit 192.168.0.0/16 # Local stuff
deny 0.0.0.0/0 # Deny everyone else
You can change that to deny site a.b.c.d (where site a.b.c.d is
an IP address with no mask) like this:
deny a.b.c.d
If you do that make sure that you don't put deny 0.0.0.0/o first
order is important.
I'm pretty sure you will have questions. Ask them here so others
can learn also.
--
Linux Home Automation Neil Cherry ncherry at linuxha.com
http://www.linuxha.com/ Main site
http://linuxha.blogspot.com/ My HA Blog
http://home.comcast.net/~ncherry/ Backup site
More information about the fedora-list
mailing list