Re: [tlug] iptable blocking IP addresses

[Jonathan Byrne <jq@example.com>]

On Sun, Feb 22, 2004 at 06:57:48PM -0800, Gerald Naughton wrote:

>IPCOP uses iptables and I can`t see in the docs
>on howto to stop scanning etc

You can't stop scanning per se, at least not without disconnecting the
hosts doing the scanning.  You can, however, refuse all connections
from a host or range of hosts.   What you want to do is just refuse all
packets coming from China-Net IP addresses.

If you have a very small set of IP addresses from which you wish to accept
traffic, a simpler and more secure approach is to defined the addresses
from which you will accept traffic, and refuse everything that doesn't
come from there.

I'm not familiar with IPCOP, but it may also have detection features that
will allow it to detect a port scan and refuse all traffic from the IP
address(es) that are doing the scan.  Look for that in the docs or google
for ways to do it.  You can also use that approach in conjunction with
a flat ban: refuse all China-Net traffic and in addition, refuse all
traffic from addresses that do port scanning.  IIRC Snort has this capability,
so I would bet that IPCOP probably has it too.

Jonathan
-- 
gpg --keyserver pgp.mit.edu --recv-keys ACC46EF9
Key fingerprint = E52E 8153 8F37 74AF C04D  0714 364F 540E ACC4 6EF9
"99 pounds of natural-born goodness, 99 pounds of soul!"

Attachment: signature.asc
Description: Digital signature