From SID Solutions Wikipedia

Contents 1 Why did you create Banish? 2 What version of IPCop does Banish work with? 3 How do you install/upgrade Banish? 4 How do you uninstall Banish? 5 How does Banish work? 6 What is the proper syntax for manually adding these statements without banish? 7 How can I tell that it is working? 8 How do I block a consective range of IP Addresses? 9 What is CIDR? 10 Can I block by domain name (ex. badguys.com)? 11 Can Banish block pings? 12 Help! I've locked myself out! 13 Can I use Banish to block P2P? 14 After adding a Banish rule, I can no longer get to ... 15 I've flushed the Banish chains manually, how do I reload Banish's rules? 16 I just installed the GeoIP Mod, how do I get Banish to use it? 17 Why block by MAC Address?

Why did you create Banish?

To block unauthorized activity from specific IP Addresses on open ports.

What version of IPCop does Banish work with?

Banish 1.4.7 has been known to work IPCop 1.4.18 and greater.

How do you install/upgrade Banish?

See Banish Installing/Upgrading

How do you uninstall Banish?

See Banish Uninstall

How does Banish work?

Banish creates IPTables log and drop statements utilizing the following IPTables "chains"

• CUSTOMINPUT

• CUSTOMFORWARD

• CUSTOMOUTPUT

What is the proper syntax for manually adding these statements without banish?

How can I tell that it is working?

Banish logs to system log. You can view entries by going to the Firewall Logs module of the IPCop Web interface or by "grepping" the system logs.

Or

 grep -i banish /var/log/messages | more

How do I block a consective range of IP Addresses?

Enter a CIDR that matches the range of IP addresses that you wish to block in the Banished Resource field.

Example:

 192.168.1.0/24

This will block 192.168.1.0 - 192.168.1.255 IP addresses.

You can also enter in the exact range of IP addresses that you wish to block in the Banished Resource field.

Example:

 192.168.1.0-192.168.1.20

Remember not to put any spaces around the "-". This will generate an error warning.

What is CIDR?

Classless Inter Domain Routing (CIDR) is a method for assigning IP addresses without using the standard IP address classes like Class A, Class B or Class C. Google search for more information and proper notation.

Can I block by domain name (ex. badguys.com)?

Yes. This will force IPTables to perform DNS lookups on your entries which might cause a noticable performance hit depending on the amount of entries.

Can Banish block pings?

Yes. Edit /etc/rc.d/rc.Banish and remove the commented out ping block entries.

Before:

 # Drop and log pings
 # Uncomment to block pings on Red interface
 #$LOGGER "Ping Banished on RED interface $IFACE."
 #/sbin/iptables -A CUSTOMINPUT -p icmp --icmp-type 8 -i $IFACE -j LOG --log-prefix "banish-ping "
 #/sbin/iptables -A CUSTOMINPUT -p icmp --icmp-type 8 -i $IFACE -j DROP 

and

 # Drop and log pings
 # Uncomment to block pings on Red interface
 #$LOGGER "Ping unBanished on RED interface $IFACE."
 #/sbin/iptables -D CUSTOMINPUT -p icmp --icmp-type 8 -i $IFACE -j LOG --log-prefix "banish-ping "
 #/sbin/iptables -D CUSTOMINPUT -p icmp --icmp-type 8 -i $IFACE -j DROP

After:

 # Drop and log pings
 # Uncomment to block pings on Red interface
 $LOGGER "Ping Banished on RED interface $IFACE."
 /sbin/iptables -A CUSTOMINPUT -p icmp --icmp-type 8 -i $IFACE -j LOG --log-prefix "banish-ping "
 /sbin/iptables -A CUSTOMINPUT -p icmp --icmp-type 8 -i $IFACE -j DROP

and

 # Drop and log pings
 # Uncomment to block pings on Red interface
 $LOGGER "Ping unBanished on RED interface $IFACE."
 /sbin/iptables -D CUSTOMINPUT -p icmp --icmp-type 8 -i $IFACE -j LOG --log-prefix "banish-ping "
 /sbin/iptables -D CUSTOMINPUT -p icmp --icmp-type 8 -i $IFACE -j DROP

Help! I've locked myself out!

Log onto the console and execute the following command:

    /etc/rc.d/rc.Banish stop

To flush all the iptables entries, enter the following command:

   /sbin/iptables --flush

Can I use Banish to block P2P?

Yes. Identify the IP addresses of the sites you wish to block and create Banish rules for them. You can also block them by domain name (ex. p2p.com). See Can I block by domain name?

After adding a Banish rule, I can no longer get to ...

Care must be taken when blocking with Banish. You might of blocked a DNS server or router.

I've flushed the Banish chains manually, how do I reload Banish's rules?

Toggle a rule, this causes Banish to reload its chains.

I just installed the GeoIP Mod, how do I get Banish to use it?

You have to uninstall and reinstall Banish. Make a backup of your Banish configuration files:

 mkdir /tmp/Banish_backup

 cp -p /var/ipcop/Banish/* /tmp/Banish_backup/

Uninstall Banish:

 /usr/local/bin/uninstall_Banish.sh

Reinstall Banish. See Banish Installing/Upgrading

Copy your old configuration to the Banish Configuration directory:

 cp -p /tmp/Banish_backup/* /var/ipcop/Banish/

Why block by MAC Address?

Blocking by MAC Address is useful when you have DHCP clients that change IP Addresses, but have known MAC Addresses.

--Xtremebassist 13:10, 22 January 2006 (CST)