LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-01-2010, 07:59 AM   #1
zamorac
LQ Newbie
 
Registered: May 2010
Posts: 5

Rep: Reputation: 0
iptables not dropping ip


I have tried to find a topic for this, but i couldn`t so if there is one please reffer me.

So, i have centOS 5.2 and i use iptables. On it a run a couple of Counter-Strike servers. In my firewall i have a rule that states:

-A RH-Firewall-1-INPUT -m iprange --src-range 77.28.0.0-77.29.255.255 -j DROP

Input and forward are reffered to RH-Firewall-1-INPUT.But, it doesn`t drop the ips from the range. I have been working on it the whole morning and i`m really frustrated by now. I have tried with my ip

-A RH-Firewall-1-INPUT -s 77.46.191.147 -j DROP

and could still connect to the damn servers.

To edit the list i use:

iptables-save > /tmp/ipt
iptables-restore < /tmp/ipt (after i edited the file ofcourse)
/etc/init.d/iptables save

and when i check the chains with iptables -L -n all of them are there, but, again, i can still connect to the damn servers

Last edited by win32sux; 05-01-2010 at 08:05 AM. Reason: Toned-down the language a notch.
 
Old 05-01-2010, 08:07 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
It sounds like you've got a rule on top of this one sending the packets to ACCEPT.

Can you post the output of this command please:
Code:
iptables -nvL --line-numbers
 
Old 05-01-2010, 08:09 AM   #3
zamorac
LQ Newbie
 
Registered: May 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Shure.

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    1081K   70M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1463K packets, 201M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1     3114  266K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
2     1785  299K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
3        0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
5        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353
6        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631
7        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    1075K   69M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
10       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
11     974 51038 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27015 state NEW
12      31  1490 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27016 state NEW
13      64  3377 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27020 state NEW
14     285 13185 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27021 state NEW
15      93  4754 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27022 state NEW
16      13   589 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27025 state NEW
17       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           source IP range 77.28.0.0-77.29.255.255
18       0     0 LOG        all  --  *      *       88.233.0.0/16        0.0.0.0/0           LOG flags 0 level 4 prefix `Turkishen drop: '
19       0     0 DROP       all  --  *      *       88.233.0.0/16        0.0.0.0/0
20       0     0 LOG        all  --  *      *       88.254.0.0/16        0.0.0.0/0           LOG flags 0 level 4 prefix `Turkishen drop: '
21       0     0 DROP       all  --  *      *       88.254.0.0/16        0.0.0.0/0
22       0     0 LOG        all  --  *      *       88.229.0.0/16        0.0.0.0/0           LOG flags 0 level 4 prefix `Turkishen drop: '
23       0     0 DROP       all  --  *      *       88.229.0.0/16        0.0.0.0/0
24       0     0 LOG        all  --  *      *       85.104.0.0/16        0.0.0.0/0           LOG flags 0 level 4 prefix `Turkishen drop: '
25       0     0 DROP       all  --  *      *       85.104.0.0/16        0.0.0.0/0
26       0     0 LOG        all  --  *      *       81.213.0.0/16        0.0.0.0/0           LOG flags 0 level 4 prefix `Turkishen drop: '
27       0     0 DROP       all  --  *      *       81.213.0.0/16        0.0.0.0/0
28       0     0 LOG        all  --  *      *       81.240.0.0/16        0.0.0.0/0           LOG flags 0 level 4 prefix `Turkishen drop: '
29       0     0 DROP       all  --  *      *       81.240.0.0/16        0.0.0.0/0
30       0     0 LOG        all  --  *      *       88.244.0.0/16        0.0.0.0/0           LOG flags 0 level 4 prefix `Turkishen drop: '
31       0     0 DROP       all  --  *      *       88.244.0.0/16        0.0.0.0/0
32       0     0 LOG        all  --  *      *       85.106.0.0/17        0.0.0.0/0           LOG flags 0 level 4 prefix `Turkishen drop: '
33       0     0 DROP       all  --  *      *       85.106.0.0/17        0.0.0.0/0
34       0     0 DROP       all  --  *      *       85.94.0.0/17         0.0.0.0/0
35       0     0 DROP       all  --  *      *       77.222.0.0/17        0.0.0.0/0
36       0     0 DROP       all  --  *      *       87.101.0.0/17        0.0.0.0/0
37       0     0 DROP       all  --  *      *       93.86.24.5           0.0.0.0/0
38       0     0 DROP       all  --  *      *       93.86.27.58          0.0.0.0/0
39      93  8208 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
 
Old 05-01-2010, 08:16 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by zamorac View Post
Code:
1     3114  266K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
2     1785  299K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
3        0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
5        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353
6        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631
7        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    1075K   69M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
10       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
11     974 51038 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27015 state NEW
12      31  1490 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27016 state NEW
13      64  3377 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27020 state NEW
14     285 13185 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27021 state NEW
15      93  4754 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27022 state NEW
16      13   589 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27025 state NEW
17       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           source IP range 77.28.0.0-77.29.255.255
You've got sixteen rules sending packets to ACCEPT before your DROP rule. If any of the packets you wish to filter match any of those rules, they will be sent to ACCEPT and will never run into your DROP rule. You need to stick your DROP rule above the interfering ACCEPT rule(s), or stick the relevant ACCEPT rule(s) below your DROP one. Presumably, your problem here lies with rules 1116, but only you can know for sure. Also note that if you want to prevent these IPs from connecting to anything, then you could simply stick your DROP rule at the very top of the chain.

Last edited by win32sux; 05-01-2010 at 08:24 AM.
 
Old 05-01-2010, 08:35 AM   #5
zamorac
LQ Newbie
 
Registered: May 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Yes, well, i didn`t even notice that :$

It worked, thanks a lot, i`m blind
 
Old 05-01-2010, 08:39 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by zamorac View Post
Yes, well, i didn`t even notice that :$

It worked, thanks a lot, i`m blind
Heh, no problem. Glad you got it working.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables not dropping packets? Petro P Linux - Networking 0 07-03-2008 11:21 PM
Iptables is dropping accepted packages Jinkzer Linux - Server 3 03-13-2008 09:15 AM
iptables dansguardian and squid - dropping URL jlw253 Linux - Security 5 07-22-2007 03:29 PM
iptables - dropping an ip *range* chibi Linux - Security 6 12-17-2005 08:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration