Re: IPs blocked still able to connect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

	I did not mean you should be using -I for all your inserts .... when you load
you rules from a script ... a "-A" will work fine. But when adding a rules on
the fly later .. you most likely want to do a "-I" so it is at the top of the
list.

Example:

>From script:

iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -j DROP

Now you find that you want to block spam from mai.hotmail.com (1.1.1.1)

Doing this:
iptables -A INPUT -i eth0 -s 1.1.1.1 -p tcp --dport 25 -j DROP 

Would cause the following to happen:
INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
INPUT -i eth0 -j DROP
INPUT -i eth0 -s 1.1.1.1 -p tcp --dport 25 -j DROP 

This has the port 25 ACCEPT happening before the DROP rule for 1.1.1.1 ... so it
would be accepted.

If you run:
iptables -I INPUT -i eth0 -s 1.1.1.1 -p tcp --dport 25 -j DROP 

Then you would of had:
INPUT -i eth0 -s 1.1.1.1 -p tcp --dport 25 -j DROP 
INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
INPUT -i eth0 -j DROP

As you can see the DROP for 1.1.1.1 comes first .. so SMTP from 1.1.1.1 would be
dropped before the ACCEPT ... blocking SMTP from 1.1.1.1

Michael.


On Mon, 14 Jun 2004 01:54:19 -0700
"Spiro Azkoul" <spiro@xxxxxxxxxxx> wrote:

> By doing the -I transition no one could connect to my server anymore. 
> 
> Knowing that I had a bunch of rules such as 
> 
> [root@linux root]# iptables -L INPUT 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> DROP       all  --  YahooBB219000000000.bbtec.net/8  anywhere           
> DROP       all  --  AAnnecy-204-1-27-120.w81-249.abo.wanadoo.fr  anywhere
> 
> DROP       all  --  61.178.0.0/16        anywhere           
> DROP       all  --  53-bem-10.acn.waw.pl  anywhere           
> DROP       all  --  216.155.64.0/19      anywhere    
> RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere           
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh 
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http 
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp 
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
> 
> That did not work
> No one could connect for POP or SMTP. 
> What is wrong with that config?
> Thanks
>        
> 
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux