Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Hello. I'm trying to block access from Chinese hackers using ip addresses in the 219.*.*.* range. I edited my iptable according to the prescripton in the post by Capt Caveman in this thread
and rebooted. But checking my security log this morning I'm finding login attempts from ip addresses in the prohibited range. Shouldn't these addresses be blocked from even trying to log in?
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
...
iptables -A INPUT -s 219.xxx.xxx.xxx -j DROP
Because your rule allowing SSH connections applies first, those connections are accepted and never hit your blocking rule. You probably want to do something like:
iptables -I INPUT 1 -s 219.xxx.xxx.xxx -j DROP
which will make that the first rule in the table.
One thing I discovered looking at the docs is that Capt Caveman recommended using
sbin/iptables -I INPUT -s 221.0.0.0/8 -j DROP
but there doesn't seem to be any -I switch, so I'm thinking that was a typo and he meant -A. So I re-issued the command with the -A switch and also put it in RH-Firewall-INPUT (as that's where all the other rules are located) and it's now showing up. But based on what tommyr1216 said, maybe it won't work. Here are the current rules per anomie's request:
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
110K 55M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 45403 packets, 5669K bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
1895 1714K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
15 840 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
58810 10M ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
45798 42M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
497 29768 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
58 2832 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
2745 407K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP all -- * * 221.0.0.0/8 0.0.0.0/0
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given
rule number. So, if the rule number is 1, the rule or rules
are inserted at the head of the chain. This is also the
default if no rule number is specified.
And your problem (as hypothesized earlier in the thread) seems to be that you're allowing traffic to tcp 22 in the chain before you're dropping packets from the specified subnet. You're going to need to insert the rule above it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
You're going to need to insert the rule above it.
