I'm using the iptables option in BlockHosts.
In /etc/hosts.allow, I have several addresses whitelisted at the top:
ALL: 127.0.0.1 : allow
ALL: 192.168.0.5 : allow
However, if I ssh to 127.0.0.1, and fail enough times, BlockHosts adds it to the list of blocked addresses in iptables.
From what I can tell, if you are just using tcpwrappers, this is ok since the allow comes first, and they won't be blocked. But in iptables, its now going to block all traffic from localhost. Perhaps the script should be modified to look at the whitelist in /etc/hosts.allow, or have its own whitelist in its config file?
-----
I've temporarily fixed the problem by adding this to /etc/rc.local:
iptables -L INPUT -s 127.0.0.1 -j ACCEPT
iptables -L INPUT -s 192.168.0.254 -j ACCEPT
If you add a section in blockhost.cfg to whitelist hosts, after flushing the existing rules, and before blocking anything, you can just run:
iptables -L blockhosts -s $ip_address -j ACCEPT
Even if there are lines after that to drop it, the accept will be hit first, and the remaining lines ignored.
Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Copyright © 1995-2016 Avinash Chopde, avinash@aczoom.com
correct, whitelisting is not supported in blockhosts
As you guessed, all whitelisting has to be done externally to blockhosts - so for TCP Wrappers, the :allow line in hosts.allow file is required, and for iptables or ip route, scripts may be needed to be run on boot up, as you did with rc.local.
This certainly is work that is outside of blockhosts configuration, and does require rc.local edits, but it also allows for better whitelisting - one could white list entire sub-nets, ranges of IP addresses, etc all of which would be very difficult for blockhosts to do and it would duplicate functionality existing in iptables (especially for permanent, static IP lists such as white lists).
Just as hosts.allow mechanisms are used for whitelisting TCP Wrapped services, might be best for iptables/ip route mechanisms to be used for whitelisting too.
Will document this issue with the next release of blockhosts.
available in 2.1.0+
Blockhosts now has built-in whitelisting and blacklisting available, from version 2.1.0 onwards.
The whitelisting does not add the rules to force a rule to accept or allow network access, but instead, whitelisted addresses (or regular expressions) will never be blocked by any rule that blockhosts.py produces. This essentially means that any IP address that is in the whitelist will never be entered in blocked list by blockhosts.py. Conversely, IP addresses in the blacklist will be immediately added to the blocked list by blockhosts.py.