LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-01-2009, 11:17 AM   #1
Ratclaws
Member
 
Registered: Sep 2001
Location: New York
Distribution: Slackware 8
Posts: 102

Rep: Reputation: 16
Strange issue with iptables.


I'm having a strange issue with ip tables where it seems like it is not respecting the subnets as I state them.


i have a server 10.30.1.51 that I want to block. but for some reason it is being matched by an allow rule for 10.30.3.0/24.

Here are the four key lines. With this, 10.30.1.51 IS able to ssh to this server.
Code:
ACCEPT     all  --  10.30.3.0/24         0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            10.30.3.0/24
REJECT     all  --  10.30.1.51           0.0.0.0/0           reject-with icmp-host-prohibited
REJECT     all  --  0.0.0.0/0            10.30.1.51          reject-with icmp-host-prohibited
If i switch it around like so, then ssh is blocked.

Code:
REJECT     all  --  10.30.1.51           0.0.0.0/0           reject-with icmp-host-prohibited
REJECT     all  --  0.0.0.0/0            10.30.1.51          reject-with icmp-host-prohibited
ACCEPT     all  --  10.30.3.0/24         0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            10.30.3.0/24

What am i missing here??
I've tried specifying the subnet for 10.30.3.0 as /24, and also as /255.255.255.0. To make it better, if i change the 10.30.3 network to 10.20.3.0/24, then it no longer matches 10.30.1.51, and ssh is blocked again.

Make any sense? Why is my rule to allow 10.30.3.0 allowing 10.30.1.* traffic??


Full input rules table
Code:
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     all  --  172.24.128.35        0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            172.24.128.35
ACCEPT     all  --  10.30.3.0/24         0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            10.30.3.0/24
REJECT     all  --  10.30.1.51           0.0.0.0/0           reject-with icmp-host-prohibited
REJECT     all  --  0.0.0.0/0            10.30.1.51          reject-with icmp-host-prohibited
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  192.168.0.0/16       0.0.0.0/0           tcp dpt:21
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
 
Old 10-01-2009, 11:22 AM   #2
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
Would you mind actually posting the ouput of your iptables config file and not iptables -L?

Don't think this is needed anymore.

Last edited by nomb; 10-01-2009 at 11:27 AM.
 
Old 10-01-2009, 11:27 AM   #3
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
Remember iptables stops at the first matching rule it finds. So in your rules, when you have it the first way:

ACCEPT all -- 10.30.3.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 10.30.3.0/24
REJECT all -- 10.30.1.51 0.0.0.0/0 reject-with icmp-host-prohibited
REJECT all -- 0.0.0.0/0 10.30.1.51 reject-with icmp-host-prohibited

This rule: ACCEPT all -- 0.0.0.0/0 10.30.3.0/24

Is basically saying allow any ip address access to your box. The reject rules below never get reached because 0.0.0.0/0 includes 10.30.1.51.

When you have it like this:

REJECT all -- 10.30.1.51 0.0.0.0/0 reject-with icmp-host-prohibited
REJECT all -- 0.0.0.0/0 10.30.1.51 reject-with icmp-host-prohibited
ACCEPT all -- 10.30.3.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 10.30.3.0/24

The blocking rules are first so they are getting matched and therefore blocking the ip address.

nomb
 
Old 10-01-2009, 12:30 PM   #4
Ratclaws
Member
 
Registered: Sep 2001
Location: New York
Distribution: Slackware 8
Posts: 102

Original Poster
Rep: Reputation: 16
haha, wow i'm blind.
I knew I would feel stupid shortly after posting this. And I was at least right about that.

thanks.
 
Old 10-01-2009, 12:45 PM   #5
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
Not a problem happy to help.

You should have seen the iptables issue I had with my media server streaming to my PS3 and my syn flood protection rules.

nomb
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Strange IPTables logs Leonid.I Linux - Security 6 09-22-2009 05:50 PM
Strange IPTables or Perhaps its not IPtables problem? helptonewbie Linux - Security 4 01-28-2009 07:54 AM
IPTables strange behavior jocast Linux - Server 2 02-28-2008 09:20 AM
Strange IPTABLES issue TheLinuxDuck Linux - Security 5 04-27-2005 07:44 AM
strange iptables entry jimieee Linux - Networking 2 11-10-2003 10:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration