« Comments Fixed
The Global Village »

Iptables and Stupidty

Sometimes I’m an idiot.  Here’s proof…

My wife has been having occassional trouble sending email to a business associate through our server to AOL.  So this evening I sat down to figure out what was the problem.  I spent some time googling on “aol connection problems” and the like.  Eventually getting to an AOL web page for mail administrators.

While reading this and running tests (which were showing problems), my daughter sat down at one of the computers.  “Can you turn my connection back on?” she asked.  I had implemented a cronjob to control her access to the net via iptables.  It blocks only her favorite places at 6pm (homework time), leaving other things alone so my wife can still use the computer and our daughter can do homework related internet stuff if necessary.  Her favorites include Livejournal and AIM … :shock:

AIM as in AOL Instant Messenger.  GAH!

I’m such an idiot.  I had been sloppy and blocked all ports.  A quick rewrite of the script to only block port 80 did the job.  Since her computer is proxied through the server, AIM uses port 80 instead of its usual port, so this gets the job done.

Next week we’ll learn how to kill an ecommerce site with a simple typo in .htaccess.

This entry was posted on Sunday, January 9th, 2005 at 10:17 pm and is filed under Family Matters, Geek Stuff. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

2 Responses to “Iptables and Stupidty”

  1. polarizers 2cent Says:
    October 5th, 2005 at 1:25 am

    You dont need a cronjob to restrict access via iptables on a time base. There are additional modules will do the job. Check out here[1] the time based rules.

    And yes – i know the way to shoot into your own knee (german idiom).

    [1] http://www.wbglinks.net/pages/reads/wbgreads/chainstables/chainstables05.html

    polarizers 2cent
    http://www.codixx.de/polarizers.html

  2. Rossz Says:
    October 5th, 2005 at 7:47 pm

    Thanks for the info.  I compiled a new kernel today (2.6.13) with the time module for iptables, along with a few other goodies I ran across.  I especially like the geoip module.  I added this rule to deal with asian hackers and spammers:


    iptables -A INPUT -m multiport -p tcp ––destination-port 22,25 -m geoip ––source-country CN,KR,TW -j TARPIT

    The TARPIT target is to take care of the ssh bots that occassionally slam my system.  I plan on adding this to my company’s ecommerce server in the near future due to the huge number of brute force attempts on ssh.  One day alone had over 100,000 tries.

Leave a Reply