Setup IP blocklist on Centos between 2 network cards

Support for security such as Firewalls and securing linux
Post Reply
kilko
Posts: 34
Joined: 2009/06/03 08:25:28
Location: Norway

Setup IP blocklist on Centos between 2 network cards

Post by kilko » 2011/11/12 00:02:31

Hi,

I run Centos 5.5.
The system has 3 network cards.

dmesg;
e1000e: eth2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
(webshop says model: EXPI9301CTBLK )

And additional 2 cards.. that are not connected yet.


I want use (eth1 and eth3) as IN/OUT for blocking sertain IP addresses. (i.e. Peerblocking)

Anyone configured this - what tools are best to used ?

(i'm ready to start digging/reading, but need to know where to start digging :)

milosb
Posts: 661
Joined: 2009/01/18 00:39:15
Location: 44 49′14″N 20 27′44″E

Re: Setup IP blocklist on Centos between 2 network cards

Post by milosb » 2011/11/12 18:58:24

From your scarce description of what exactly you're trying to do, all I can suggest is [b]iptables[/b], and in that respect, you may want to take a look at the:
[code]
[url=http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html-single/Deployment_Guide/index.html#ch-fw]TUV Deployment Guide: iptables[/url]
[/code]

Hope this helps.

kilko
Posts: 34
Joined: 2009/06/03 08:25:28
Location: Norway

Re: Setup IP blocklist on Centos between 2 network cards

Post by kilko » 2011/11/12 20:51:55

Thanx for the heads-up about iptables.
I do now some of the ways around iptables,..

..but i'm not familier how I can setup iptables to block 2.301.808.963 IPs (and counting..)

My goal, is to have the same functionality that the software "PeerBlock 1.0+" gives me on windows - using a centos box.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Setup IP blocklist on Centos between 2 network cards

Post by TrevorH » 2011/11/12 21:07:08

You probably want to investigate something called ipsets which works hand in hand with iptables and is much more efficient. This is not currently available for CentOS 5 but I am about to try to get this into ELRepo. If you are comfortable with building your own RPMs then there is a set of SRPMs attached to an ELRepo ticket that I have modified to allow ipsets to be used on CentOS 5. Redhat are in the process of adding ipset support to RHEL 6.2 (it's in the beta). I do have a more recent build of the ipset SRPMs that contain init scripts for ipsets so that the contents can be saved/restored across reboots but there are no code changes to the set that are on ELrepo ticket 000083.

kilko
Posts: 34
Joined: 2009/06/03 08:25:28
Location: Norway

Re: Setup IP blocklist on Centos between 2 network cards

Post by kilko » 2011/11/12 21:35:30

Unfortunately I do not know so much about building rpms.
Google... if I can follow a cookbook like this ? http://www.lamolabs.org/blog/164/centos-rpm-tutorial-1/ - would that be sufficient ?

If this blocking ipsets is available/will be? in centos 6 - I just might consider upgradering soon :-)

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Setup IP blocklist on Centos between 2 network cards

Post by TrevorH » 2011/11/12 22:01:31

The guide you pointed to is rather more complicated than I was proposing. You would need to perform the step 1 from that but to rebuild previously built SRPMs is rather easier - you just run `rpm --install whatever.src.rpm` then `rpmbuild -bb whatever.spec` Then solve all the missing dependencies for packages that the build requires and repeat until it works!

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Setup IP blocklist on Centos between 2 network cards

Post by pschaff » 2011/11/15 01:03:33

[quote]
kilko wrote:
...
I run Centos 5.5.
[/quote]
Before embarking on building RPMs you should first "yum update" to get up to the current/supported release 5.7. You may then want to read about [url=http://wiki.centos.org/HowTos/RebuildSRPM]How to Rebuild a Source RPM[/url].

Post Reply