He may not have iptables in the 2.2 kernel, but there have been some
backports available for quite some time.

The confusion about his use of hosts.deny is that it typically only
affects services that are run through inetd.  SMTP services are
typically handled by a daemon like sendmail and you'd have to deny
service to those IP's in THAT software, not via tcp wrappers support in
inetd.

All of the advice is correct -- use a real packet filter like ipchains
or iptables if you want to deny service to a particular host's ports.

Nate

On Feb 12, 2004, at 9:53 AM, Hulatt, Jon wrote:

> I would strongly strongly recommend you use iptables instead. You've
> almost
> certainly got iptables support already compiled into your kernel, so
> it's
> just a matter of installing the userspace iptables tool, and
> configuring it.
> I'll give you a hand with the config if you want, just email me.
>
> jon
>
>> -----Original Message-----
>> From: Josh Koffman [mailto:listsjosh@3MTMP.COM]
>> Sent: 12 February 2004 16:33
>> To: PICLIST@MITVMA.MIT.EDU
>> Subject: [OT:] Linux Host Deny Help
>>
>>
>> Ok, I'm desperate. I've tried everything I know how to try,
>> and it's not working. And I can't figure out why.
>>
>> I am running Debian with a 2.2.19 kernel. I know 2.6 is out,
>> but I don't want to upgrade right now. There is going to be a
>> major overhaul coming in a month or so, and I don't want to
>> waste time upgrading this machine right now.
>>
>> Here is what I am trying to do. I am attempting to block
>> access to my linux box from all addresses starting with
>> 141.117.*.* except the few within that range that I specify.
>> So, my first thought was hosts.allow and hosts.deny. I added
>> the address above (with netmask) to hosts.deny,
>> (ALL:141.117.0.0/255.255.0.0), and the address I want to be
>> able to access the box (ALL:141.117.*.*) to hosts.allow. Then
>> I started testing. The address I want to work worked fine.
>> However, I am having issues with the blocked addresses. They
>> won't connect to some services (ie the POP
>> server) which is perfect, but they still connect to others,
>> such as SMTP. I've even tried explicitly denying the IP of
>> the machine I'm testing with, and I can still send mail
>> through SMTP perfectly. I tried adding (ALL smtp:
>> 141.117.0.0/255.255.0.0) or ALL exim:
>> 141.117.0.0/255.255.0.0) but neither seem to work.
>>
>> I just don't understand how I can explicitly deny access, and
>> it works for some things but SMTP works great.
>>
>> HELP!
>>
>> Thank you
>>
>> Josh
>> --
>> A common mistake that people make when trying to design
>> something completely foolproof is to underestimate the
>> ingenuity of complete fools.
>>         -Douglas Adams
>>
>> --
>> http://www.piclist.com hint: The list server can filter out
>> subtopics (like ads or off topics) for you. See
> http://www.piclist.com/#topics
>
> --
> http://www.piclist.com hint: The list server can filter out subtopics
> (like ads or off topics) for you. See http://www.piclist.com/#topics

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.