[SOLVED] Firewall block not working?

battles · 09-13-2014, 12:21 PM

I have the two iptables records below. The 1.171.0.0/16 record was entered into the iptables some weeks ago. Today the 1.171.67.85 record hit with an invalid request, so it was blocked. My questions is, why didn't the 1.171.0.0/16 block the 1.171.67.85 hit? 1.171.67.85 falls within its CIDR range.

125 6 240 DROP all -- * * 1.171.0.0/16 0.0.0.0/0 /* tiawan */

156 0 0 DROP all -- * * 1.171.67.85 0.0.0.0/0 /* TW BOA 1 Sep 13 2014 07:05:02 AM */

Thanks.

Ser Olmy · 09-14-2014, 06:09 AM

Looking at the source IP filter alone, the first rule should cover all packets from 1.171.0.0/16. However, the rule could have other match criteria than the ones displayed above. Have a look at the output from iptables-save to see the entire ruleset with all details.

battles · 09-14-2014, 07:44 AM

My iptables-save file has
-A INPUT -s 1.171.0.0/16 -m comment --comment tiawan -j DROP

followed down the list by
-A INPUT -s 1.171.67.85/32 -m comment --comment "TW BOA 1 Sep 13 2014 07:05:02 AM" -j DROP

It seems to me that the first record should have caught and DROPped the second.

Ser Olmy · 09-14-2014, 09:24 AM

I would think so too, unless the packet from 1.171.67.85 didn't have a destination address matching one on the firewall, in which case it would be processed by the FORWARD chain instead.

Are you saying you can see matches against the second rule in the logs, even though the rule is clearly a subset of the earlier rule? Did you add these rules manually?

(It's "Taiwan", BTW.)

battles · 09-14-2014, 09:41 AM

You caught me (It's "Taiwan", BTW.).

Yes, the rule (1.171.67.85/32) is clearly a subset of the earlier rule (1.171.0.0/16), a CIDR which I manually entered some time back. I had this happen with another IP recently. Apparently there is some kind of fluke going on with the firewall causing this. Most all other records show that IP are being dropped. Here are a few:

Code:

num   pkts bytes target     prot opt in     out     source               destination         
32      30  1326 DROP       all  --  *      *       60.169.0.0/16        0.0.0.0/0            /* china */
33       2   147 DROP       all  --  *      *       60.170.0.0/16        0.0.0.0/0            /* china */
34       3   218 DROP       all  --  *      *       60.172.0.0/16        0.0.0.0/0            /* china */
35     185  8702 DROP       all  --  *      *       60.173.0.0/16        0.0.0.0/0            /* china */
36       2   110 DROP       all  --  *      *       60.174.0.0/16        0.0.0.0/0            /* china */

I was told that 'pkts' represents packets that have hit and been dropped.

Periodic IPs getting through like this isn't a big problem. I'll just live with it and let them stay as /32.

Thanks for you input.