Forums

scott hafe
scott hafe
Offline
Resolved
0 votes
Im new to ClearOS.

I have a goal to block a few sites. I want to block all packets to.. and from certain ip's

I have added a website Ip to the Egress Firewall... this has blocked being able to ping the website..

but in chrome I can still browse..

I was recommend to add a custom rule... but Couldn't figure it out. I spent the day to understand but still no luck

I tried commands like this:

iptables -A OUTPUT -d 151.101.126.217 -j DROP
iptables -A OUTPUT -d 72.66.115.14 -j DROP
iptables -I INPUT 1 -s 72.66.115.14 -j DROP
iptables -A INPUT -s 151.101.194.217 -j DROP

if someone could pass me to somewhere with good documentation maybe I can figure this out.

cheers

scott
Friday, April 13 2018, 03:09 AM
Share this post:
Responses (5)
  • Accepted Answer

    Saturday, April 14 2018, 08:39 AM - #Permalink
    Resolved
    0 votes
    In ClearOS, unless you've played around with your set up you don't need to use "sudo". You can use the commands directly.

    If you do an "iptables -L" it attempts to resolve IP's into hostnames. This slows the listing down as it tries to do a reverse DNS lookup on every IP, and in this case your IP does not have a PTR record so the reverse lookup returns a ".":
    [root@server ~]# host 198.144.176.60
    60.176.144.198.in-addr.arpa domain name pointer .

    A better way to do an iptables listing is with the -n switch which stops the reverse lookup. My preferred combination is "iptables -nvL", but if you do iptables listings on the forum, please paste it between "code" tags.

    I am not sure what you are saying about Pasting. For a terminal I use PuTTy in Windows. To paste into it you just right-click and to copy text you just select it.

    [edit]
    And just reading your posts again, in the custom firewall, please use "$IPTABLES" and not "iptables". At a minimum you must use "iptables -w". At the command line "iptables" is fine.
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    scott hafe
    scott hafe
    Offline
    Friday, April 13 2018, 07:56 PM - #Permalink
    Resolved
    0 votes
    its funny I had also tried that. I thought I was using the "-I" command wrong.

    I started to write another msg to show what I was doing for more input....

    I think i figured out two things:
    If you "Paste" the command and edit it I think windows put some character you cant see... and the command doesn't get accepted...
    it looks like if I put an IP in say "198.144.176.60" just a random LAMP server I have out on the net with no name... it seems like the sudo iptables -L shows a "." that's a period instead of a IP. that made me think I was doing it wrong...

    well using these three it seems to be blocking...
    iptables -I INPUT -s 198.144.176.60 -j DROP
    iptables -I FORWARD -d 198.144.176.60 -j DROP
    iptables -I OUTPUT -d 198.144.176.60 -j DROP


    can anyone see anything wrong with how I did the above commands? I still dont see why I see a "." instead of a IP

    but they seem to work!!!

    thanks for all your help Nick

    cheers

    Scott
    The reply is currently minimized Show
  • Accepted Answer

    Friday, April 13 2018, 06:55 PM - #Permalink
    Resolved
    0 votes
    Be careful of rule ordering. You are putting your rules at the end of each chain. If there is any match higher up the chain then it takes precedence. For example the allow all out in the OUTPUT and FORWARD chains would take precedence. Use "-I" (upper case "i" not lower case "L") rather than -A. Custom firewall rules are applied very late in the firewall loading so should appear near the top if you use "-I".
    The reply is currently minimized Show
  • Accepted Answer

    scott hafe
    scott hafe
    Offline
    Friday, April 13 2018, 06:07 PM - #Permalink
    Resolved
    0 votes
    I cant figure out why I cant get this to work. reading basic instructions of iptables something like this should block all traffic:

    Tried this in clearOS module "custom firewall"
    iptables -A OUTPUT -d 9.9.9.9 -j DROP
    iptables -A FORWARD -d 9.9.9.9 -j DROP
    iptables -A INPUT -s 9.9.9.9 -j DROP

    I also tried:
    iptables -A FORWARD -s 10.0.0.1 -d 9.9.9.9 -j DROP
    iptables -A INPUT -d 10.0.0.1 -s 9.9.9.9 -j DROP
    iptables -A OUTPUT -s 10.0.0.1 -d 9.9.9.9 -j DROP

    when I do a sudo iptables -L i get these lines listed:

    INPUT
    DROP all -- dns.quad9.net gateway.sciencetech-inc.com

    FORWARD
    DROP all -- anywhere dns.quad9.net

    OUTPUT
    DROP all -- gateway.sciencetech-inc.com dns.quad9.net


    but I can always still ping 9.9.9.9 and for fun i can also ping dns.quad9.net


    could it be that I have Antimaleware, intrusion protection installed and they are somehow bypassing custom firewall iptables?

    any help would be great.

    cheers
    The reply is currently minimized Show
  • Accepted Answer

    Friday, April 13 2018, 09:42 AM - #Permalink
    Resolved
    0 votes
    Key to this is understanding the firewall concepts. The INPUT chain is for traffic destined for ClearOS and the OUTPUT chain from ClearOS. The FORWARD chain is for traffic in both directions Internet <--> LAN through ClearOS.

    If you are not running the proxy or content filter, just about all traffic to and from the LAN needs to be blocked in the FORWARD chain. If you use the proxy or content filter then the traffic counts as coming from ClearOS as that is where the last processing was done. In that case you would block either the INPUT or OUTPUT chain (or both) except this is a really bad example as you would, in reality, block it in the content filter.
    The reply is currently minimized Show
Your Reply