Forum OpenACS Q&A: Response to How to bypass rp_filter: Nimba Worm

Posted by David Walker on
ipchains support (enabled by default in most cases)
sudo (you might have to install this)

First create a chain to hold the blocked IPs and place it at the head of the input and output chains. (These will be erased if you reboot. Make sure they appear above any other rules you might have)
        /sbin/ipchains -N blockip
        /sbin/ipchains -A input -p tcp -j blockip
        /sbin/ipchains -A output -p tcp -j blockip

The blockip script is simply intended to keep the web server from having the right to do anything other than the intended action with ipchains. I place it in /root/bin/blockip and execute it using sudo

# blockip takes a single IP address and adds an ipchains rule to
# block it in both directions

set ip [lindex $argv 0]
if {$argc != 1 || ![string is digit [string map { . ""} $ip]]} {
        puts "give me the IP and just the IP"
puts [exec /sbin/ipchains -A blockip -p tcp -s $ip -j DENY ]
puts [exec /sbin/ipchains -A blockip -p tcp -d $ip -j DENY ]

use visudo to add this line to /etc/sudoers
nsadmin ALL=NOPASSWD: /root/bin/blockip 

Create a .tcl file containing the following and place it in /web/<servername>/tcl/ (or wherever your server's tcl directory is)

ad_register_filter -critical t -priority 1 preauth * /*.exe 
proc vt_blockip {conn ignore} {
        exec sudo /root/bin/blockip [ns_conn peeraddr]
        ns_conn close
        return "filter_break"

Edit tcl/ad-security.tcl and change
ad_register_filter -critical t -priority 1 preauth * /* sec_read_security_info
ad_register_filter -critical t -priority 2 preauth * /* sec_read_security_info
so that the blocking filter will be higher priority than the security filter.

and, finally, here is the cron script to clear the blocked IPs

/sbin/ipchains -F blockip