Hi,
I use iptables based firewall and now I set up blockhosts. The problem is that when blockhosts creating the rule to the INPUT chain it uses --append. In my case the deafult policy for INPUT is DROP and there are a number of rules which allow access to the services hosted on the server. Because blockhosts rule was appended to the INPUT chain as the last rule it did not fulfill the functions.
What I did is that I modified the blockhosts.py file so that it inserts the rule before the first one in INPUT chain.
On version 2.3.1 it is in line 861. It should look like this:
cmd = path + " --insert INPUT 1 -j %s" % chain
Hope this helps to someone!
Daniel
Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Copyright © 1995-2016 Avinash Chopde, avinash@aczoom.com
Forward chain
Hey, thanks for this info, it was very useful.
If you also want to add the rules to the FORWARD chain as well, at line 860 replace this:
Log.Info(" ... creating jump from INPUT to %s chain" % chain) cmd = path + " --append INPUT -j %s" % chain (waitstatus, output) = _do_cmd(cmd, dry_run, 0) if waitstatus != 0: returnwith this:
Log.Info(" ... creating jump from INPUT to %s chain" % chain) #cmd = path + " --append INPUT -j %s" % chain cmd = path + " --insert INPUT 1 -j %s" % chain (waitstatus, output) = _do_cmd(cmd, dry_run, 0) if waitstatus != 0: return Log.Info(" ... creating jump from FORWARD to %s chain" % chain) cmd = path + " --insert FORWARD 1 -j %s" % chain (waitstatus, output) = _do_cmd(cmd, dry_run, 0) if waitstatus != 0: returnthen refresh your iptables rules and run the blockhosts script again.
added this feature
Looks like it might be better for the default behavior of blockhosts to add itself as the first rule since that would work either case: when the default policy for INPUT chain is DROP or when it is ACCEPT.
Additionally, might as well add the blocking for the FORWARD chain too.
Both these changes are available in versions 2.4 or later from the Blockhosts Download page.