Re: Trouble rejecting connections

Jeffrey Laramie <JALaramie@xxxxxxxxxxxxxxxxxxx> · Wed, 28 Jan 2004 08:21:07 -0500

Ben wrote:

Hello all,

I'm having trouble rejecting connections using iptables.  I am using cPanel
/ WHM on a RedHat 7.3 a machine and iptables installed from
iptables-1.2.8-8.72.3.i386.rpm .  I am using a script for my policy, it
looks like this.

//Start script
IPTABLES="/sbin/iptables"

#Flush everything, start from scratch
$IPTABLES -F

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

#Allow all lo traffic
$IPTABLES -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

#Allow all related and established connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Set default OUTPUT policy to ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Open ports for server/services
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 37 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 43 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 465 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 873 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 873 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2082 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2083 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2086 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2087 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2089 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2095 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3306 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 6666 -j ACCEPT

#Enable Blogger support (non-standards compliant piece of dogshit that it
is)
$IPTABLES -A INPUT -s 66.102.15.83 -j ACCEPT
$IPTABLES -A INPUT -s 216.34.7.186 -j ACCEPT

#Add passive-mode people here
#$IPTABLES -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT

#Add DENY people here

#$IPTABLES -A INPUT -s 000.000.000.000 -j DROP

$IPTABLES -A INPUT -s blocked.ip.address.here -j DROP

You need to move these DROP and LOG rules up so they come before the 
ACCEPT rules. Otherwise the packets may have already been accepted.

Jeff

#Logging
$IPTABLES -A INPUT -j LOG --log-prefix "INPUTDEFAULT: "

#Save rules
iptables-save > /etc/sysconfig/iptables

#Restart for rules to take effect
service iptables restart
//End script

The problem is that I can still connect from blocked.ip.address.here.  What
did I miss?

Ben Prince

Cyber Pixels

Systems Administrator

ben@xxxxxxxxxxxxxxx 