Strange issue with iptables.
 

I'm having a strange issue with ip tables where it seems like it is not respecting the subnets as I state them.


i have a server 10.30.1.51 that I want to block. but for some reason it is being matched by an allow rule for 10.30.3.0/24.

Here are the four key lines. With this, 10.30.1.51 IS able to ssh to this server.
If i switch it around like so, then ssh is blocked.


What am i missing here??
I've tried specifying the subnet for 10.30.3.0 as /24, and also as /255.255.255.0. To make it better, if i change the 10.30.3 network to 10.20.3.0/24, then it no longer matches 10.30.1.51, and ssh is blocked again.

Make any sense? Why is my rule to allow 10.30.3.0 allowing 10.30.1.* traffic??


Full input rules table

Would you mind actually posting the ouput of your iptables config file and not iptables -L?

Don't think this is needed anymore. :D

Remember iptables stops at the first matching rule it finds. So in your rules, when you have it the first way:

ACCEPT all -- 10.30.3.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 10.30.3.0/24
REJECT all -- 10.30.1.51 0.0.0.0/0 reject-with icmp-host-prohibited
REJECT all -- 0.0.0.0/0 10.30.1.51 reject-with icmp-host-prohibited

This rule: ACCEPT all -- 0.0.0.0/0 10.30.3.0/24

Is basically saying allow any ip address access to your box. The reject rules below never get reached because 0.0.0.0/0 includes 10.30.1.51.

When you have it like this:

REJECT all -- 10.30.1.51 0.0.0.0/0 reject-with icmp-host-prohibited
REJECT all -- 0.0.0.0/0 10.30.1.51 reject-with icmp-host-prohibited
ACCEPT all -- 10.30.3.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 10.30.3.0/24

The blocking rules are first so they are getting matched and therefore blocking the ip address.

nomb

haha, wow i'm blind.
I knew I would feel stupid shortly after posting this. And I was at least right about that. :)

thanks.

Not a problem happy to help.

You should have seen the iptables issue I had with my media server streaming to my PS3 and my syn flood protection rules. :D

nomb