I'm having a strange issue with ip tables where it seems like it is not respecting the subnets as I state them.
i have a server 10.30.1.51 that I want to block. but for some reason it is being matched by an allow rule for 10.30.3.0/24.
Here are the four key lines. With this, 10.30.1.51 IS able to ssh to this server.
Code:
ACCEPT all -- 10.30.3.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 10.30.3.0/24
REJECT all -- 10.30.1.51 0.0.0.0/0 reject-with icmp-host-prohibited
REJECT all -- 0.0.0.0/0 10.30.1.51 reject-with icmp-host-prohibited
If i switch it around like so, then ssh is blocked.
Code:
REJECT all -- 10.30.1.51 0.0.0.0/0 reject-with icmp-host-prohibited
REJECT all -- 0.0.0.0/0 10.30.1.51 reject-with icmp-host-prohibited
ACCEPT all -- 10.30.3.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 10.30.3.0/24
What am i missing here??
I've tried specifying the subnet for 10.30.3.0 as /24, and also as /255.255.255.0. To make it better, if i change the 10.30.3 network to 10.20.3.0/24, then it no longer matches 10.30.1.51, and ssh is blocked again.
Make any sense? Why is my rule to allow 10.30.3.0 allowing 10.30.1.* traffic??
Full input rules table
Code:
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 172.24.128.35 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 172.24.128.35
ACCEPT all -- 10.30.3.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 10.30.3.0/24
REJECT all -- 10.30.1.51 0.0.0.0/0 reject-with icmp-host-prohibited
REJECT all -- 0.0.0.0/0 10.30.1.51 reject-with icmp-host-prohibited
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 192.168.0.0/16 0.0.0.0/0 tcp dpt:21
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited