Place log target above all rules or create LOG chain. Why use double drop? If the default policy is set to DROP, there is no need for aditional drop rules. Allso fix the lo line .. it can be writen much simpler like $IPT -A INPUT -p ALL -i $IF_LO -j ACCEPT $IPT -A OUTPUT -p ALL -o $IF_LO -j ACCEPT ----- Original Message ----- From: "Ben" <nigma@xxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Wednesday, January 28, 2004 10:19 AM Subject: Trouble rejecting connections > Hello all, > > I'm having trouble rejecting connections using iptables. I am using cPanel > / WHM on a RedHat 7.3 a machine and iptables installed from > iptables-1.2.8-8.72.3.i386.rpm . I am using a script for my policy, it > looks like this. > > > //Start script > IPTABLES="/sbin/iptables" > > #Flush everything, start from scratch > $IPTABLES -F > > #Set default policies to DROP > $IPTABLES -P INPUT DROP > $IPTABLES -P FORWARD DROP > > #Allow all lo traffic > $IPTABLES -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT > > #Allow all related and established connections > $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > #Set default OUTPUT policy to ACCEPT > $IPTABLES -P OUTPUT ACCEPT > > # Open ports for server/services > $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 37 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 43 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT > $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT > $IPTABLES -A INPUT -p udp --dport 465 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 873 -j ACCEPT > $IPTABLES -A INPUT -p udp --dport 873 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 2082 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 2083 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 2086 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 2087 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 2089 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 2095 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 3306 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 6666 -j ACCEPT > > #Enable Blogger support (non-standards compliant piece of dogshit that it > is) > $IPTABLES -A INPUT -s 66.102.15.83 -j ACCEPT > $IPTABLES -A INPUT -s 216.34.7.186 -j ACCEPT > > #Add passive-mode people here > #$IPTABLES -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT > > #Add DENY people here > #$IPTABLES -A INPUT -s 000.000.000.000 -j DROP > $IPTABLES -A INPUT -s blocked.ip.address.here -j DROP > > #Logging > $IPTABLES -A INPUT -j LOG --log-prefix "INPUTDEFAULT: " > > #Save rules > iptables-save > /etc/sysconfig/iptables > > #Restart for rules to take effect > service iptables restart > //End script > > The problem is that I can still connect from blocked.ip.address.here. What > did I miss? > > Ben Prince > Cyber Pixels > Systems Administrator > ben@xxxxxxxxxxxxxxx > >
