Technical Discussion
  >> Linux Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User billford
(elder) Tue 17-Nov-15 22:51:55
Print Post

GUFW


[link to this post]
 
Linux Mint 17.2.

I want to prevent a machine establishing a connection to a specific IP address on the internet. It would take to long to explain why, but it's legit- I just don't have control over the app that's doing it.

I looked at iptables and I'd be waaay out of my depth, anyone know if I could do it with GUFW?

It looks easy enough, but I've heard that before... frown

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User BatBoy
(sensei) Wed 18-Nov-15 09:06:46
Print Post

Re: GUFW


[re: billford] [link to this post]
 
Looks simple enough http://notepad2.blogspot.co.uk/2012/02/linux-block-o...
Standard User dandnsmith
(experienced) Wed 18-Nov-15 09:10:00
Print Post

Re: GUFW


[re: billford] [link to this post]
 
I think I'd try setting an entry in the hosts file to translate the unwanted address to 127.0.0.1 (ie loopback), and ensure that the hosts file gets higher in the resolution than outside dns.

Derek


Register (or login) on our website and you will not see this ad.

Standard User TinyMongomery
(experienced) Wed 18-Nov-15 09:29:30
Print Post

Re: GUFW


[re: dandnsmith] [link to this post]
 
That only works for a URL, not an IP address.

@OP - It should be simple. Just configure an advanced rule denying access, outbound, to that particular address. Leave the port blank. It translates to the rule:

ufw deny to 1.2.3.4

(substitute the appropriate address!).
Standard User billford
(elder) Wed 18-Nov-15 09:50:41
Print Post

Re: GUFW


[re: dandnsmith] [link to this post]
 
That was my first thought, but the app authors thought of it as well- the app uses an IP address not a hostname tongue

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User billford
(elder) Wed 18-Nov-15 09:57:01
Print Post

Re: GUFW


[re: BatBoy] [link to this post]
 
I saw that page, and others saying the same thing, but I didn't have any luck from the command line- just error messages which did nothing to improve my understanding of what I was doing wrong frown

GUFW seems to be working (by default it blocks all incoming, so I had to allow a few like Samba etc), but so far the app is being unco-operative and not trying to contact the IP I think I've blocked mad

Sod's Law of course… but I can be patient tongue

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User BatBoy
(sensei) Wed 18-Nov-15 09:57:52
Print Post

Re: GUFW


[re: billford] [link to this post]
 
In reply to a post by billford:
I saw that page,
Why am I not surprised?
Standard User billford
(elder) Wed 18-Nov-15 09:58:45
Print Post

Re: GUFW


[re: TinyMongomery] [link to this post]
 
That's what (I hope) I've done, see my reply to Batboy.

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User billford
(elder) Wed 18-Nov-15 09:59:47
Print Post

Re: GUFW


[re: BatBoy] [link to this post]
 
grin

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User BatBoy
(sensei) Wed 18-Nov-15 10:08:09
Print Post

Re: GUFW


[re: billford] [link to this post]
 
It seems to be missing "out"
Standard User TinyMongomery
(experienced) Wed 18-Nov-15 10:23:55
Print Post

Re: GUFW


[re: billford] [link to this post]
 
Try pinging the address (not conclusive), or telnet to port 80 if it's a web server.
Standard User billford
(elder) Wed 18-Nov-15 10:30:11
Print Post

Re: GUFW


[re: TinyMongomery] [link to this post]
 
Excellent idea smile

Ping from another machine without UFW worked, from the one with UFW it returned Operation not permitted.

Very satisfactory result, thanks for the tip!

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User caffn8me
(knowledge is power) Fri 20-Nov-15 05:15:17
Print Post

Re: GUFW


[re: billford] [link to this post]
 
I know you've got it working now but it might be worth looking at firewalling capabilities on your router as an additional tool in your arsenal.

Another option which can be done on the router or the computer is to add a null route - route packets for the particular destination you want to block via a non-existent IP - preferably an RFC 1918 address. I've certainly done this on Windoze machines in the past with great success.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User billford
(elder) Fri 20-Nov-15 07:33:08
Print Post

Re: GUFW


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
I know you've got it working now but it might be worth looking at firewalling capabilities on your router as an additional tool in your arsenal.
The router (Asus RT-N66U) was the obvious first place to look but couldn't see anything particularly useful, then the hosts file but that doesn't work for IP addresses. It could have been fiddly doing it on the router anyway- the app runs on three machines but I only wanted to block two of them- different hardware on the third meant that it wasn't a problem on that one.

When I googled for ideas, I got the distinct impression that blocking outgoing IP addresses is something of a minority interest smile
Another option which can be done on the router or the computer is to add a null route - route packets for the particular destination you want to block via a non-existent IP - preferably an RFC 1918 address. I've certainly done this on Windoze machines in the past with great success.
I don't use null routes but quite often use 127.0.0.1 in the hosts file on the Mac, especially for any mob that use pop-unders (MacKeeper being the main culprit).

I initially tried blocking MacKeeper in the router (block anything with that text in the url) but it sometimes got irritating waiting for the connection to time out. Doing it via localhost meant that Apache immediately spat back a 404 so no waiting, although it did mean an entry for each url variation I came across- a trivial matter.

I must admit I'm quite impressed with GUFW. I've no doubt I could gain a lot more flexibility by getting to grips with iptables, but I don't need it and GUFW makes it dead easy to do what I do want to do. At my advanced age I'm a firm believer in KISS smile

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User Lethe
(fountain of knowledge) Fri 20-Nov-15 14:36:16
Print Post

Re: GUFW


[re: billford] [link to this post]
 
I can think of another solution - brain surgery.

Open the executable in a HEX editor - find the address, and change it to 0.0.0.0 (or whatever)

I have done this several times - it works a treat smile

Nick
Standard User billford
(elder) Fri 20-Nov-15 15:00:39
Print Post

Re: GUFW


[re: Lethe] [link to this post]
 
I've done that sort of thing too on occasion, but it's not possible in this case- the IP address isn't hard-coded.

It's an app for distributed computing, so when it wants some work it connects to an "assignment server" and sends details of machine configuration etc, that server returns the IP address of another server which has suitable work available- and it's one of those that I want to block.

(The app doesn't mind- if it can't get work from a particular server for any reason it just keeps asking for others until it's given one that it can.)

There's also the minor detail that patching any of the supplied files is driving a horse and cart through the EULA… which wouldn't necessarily stop me, but I'd prefer not to do it tongue

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6

Edited by billford (Fri 20-Nov-15 15:02:08)

Standard User Lethe
(fountain of knowledge) Fri 20-Nov-15 15:11:30
Print Post

Re: GUFW


[re: billford] [link to this post]
 
OK, I have the same router as you, but running one of Merlins builds.

Have a look at Firewall->Network Services Filter

I think you can lock down 'phoning home' stuff there.

Nick
Standard User billford
(elder) Fri 20-Nov-15 15:24:31
Print Post

Re: GUFW


[re: Lethe] [link to this post]
 
I'm using Asus stock firmware, but that function is in there too- I hadn't noticed it crazy blush

GUFW is working fine so I'll leave it as is, but very useful to know if any snags turn up- thanks smile

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to