Iptables drop not working properly

Issues related to configuring your network
Post Reply
digitalfixer
Posts: 3
Joined: 2014/06/12 11:21:17

Iptables drop not working properly

Post by digitalfixer » 2014/07/24 05:19:50

I hope this is the right section for this problem.

Iptables version is 1.3.5

This is from the config file

Code: Select all

TOOL='/sbin/iptables'

# flush tables
$TOOL -F INPUT
$TOOL -F OUTPUT
$TOOL -F FORWARD
$TOOL -t nat -F PREROUTING
$TOOL -t nat -F POSTROUTING

# default policies
$TOOL -P INPUT DROP
$TOOL -P OUTPUT DROP
$TOOL -P FORWARD ACCEPT

# ppp0
$TOOL -A INPUT -s 116.10.191.0/24 -j DROP
$TOOL -A INPUT -s 222.163.192.0/24 -j DROP
$TOOL -A INPUT -s 86.101.234.0/24 -j DROP
$TOOL -A INPUT -s 61.171.0.0/24 -j DROP
$TOOL -A INPUT -s 139.182.22.0/24 -j DROP
$TOOL -A INPUT -s 183.60.20.0/24 -j DROP
$TOOL -A INPUT -s 61.174.0.0/24 -j DROP
$TOOL -A INPUT -s 113.193.0.0/24 -j DROP
$TOOL -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$TOOL -A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 2 -j ACCEPT
$TOOL -A INPUT -p tcp --dport 22 --syn -j DROP
This is the out put from iptables -L -v -n

Code: Select all

Chain INPUT (policy DROP 9728 packets, 654K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  121  4840 DROP       all  --  *      *       116.10.191.0/24      0.0.0.0/0           
  170 10200 DROP       all  --  *      *       222.163.192.0/24     0.0.0.0/0           
  198 11880 DROP       all  --  *      *       86.101.234.0/24      0.0.0.0/0           
    0     0 DROP       all  --  *      *       61.171.0.0/24        0.0.0.0/0           
    0     0 DROP       all  --  *      *       139.182.22.0/24      0.0.0.0/0           
    0     0 DROP       all  --  *      *       183.60.20.0/24       0.0.0.0/0           
    0     0 DROP       all  --  *      *       61.174.0.0/24        0.0.0.0/0           
    0     0 DROP       all  --  *      *       113.193.0.0/24       0.0.0.0/0           
 699K  363M ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  461 23176 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 flags:0x17/0x02 limit: avg 1/min burst 2 
  854 46608 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 flags:0x17/0x02 
And this is from my daily logwatch email.

Code: Select all

--------------------- pam_unix Begin ------------------------ 

sshd:
   Authentication Failures:
      avahi (125.210.216.25): 5 Time(s)
      root (93-63-173-228.ip28.fastwebnet.it): 5 Time(s)
      root (61.174.50.216): 3 Time(s)
      root (61.174.50.224): 3 Time(s)
      root (61.174.51.211): 3 Time(s)
      unknown (a141.sub94.net78.udm.net): 3 Time(s)
      root (60.173.11.113): 2 Time(s)
      root (61.174.51.204): 2 Time(s)
      root (61.174.51.216): 2 Time(s)
      unknown (115.146.121.243): 2 Time(s)
      unknown (182.79.235.9): 2 Time(s)
      unknown (221.179.89.90): 2 Time(s)
      unknown (61.174.50.224): 2 Time(s)
      gopher (125.210.216.25): 1 Time(s)
      root (211.140.18.59): 1 Time(s)
      root (61.174.51.209): 1 Time(s)
      root (61.174.51.233): 1 Time(s)
      root (mail.blackpeony.com): 1 Time(s)
      unknown (61.174.51.204): 1 Time(s)
      unknown (61.174.51.233): 1 Time(s)
      unknown (93-63-173-228.ip28.fastwebnet.it): 1 Time(s)
      unknown (mail.blackpeony.com): 1 Time(s)
   Invalid Users:
      Unknown Account: 23 Time(s)


---------------------- pam_unix End ------------------------- 


--------------------- SSHD Begin ------------------------ 


Disconnecting after too many authentication failures for user:
   admin : 4 Time(s)
   root : 14 Time(s)

Failed logins from:
   58.241.61.162 (mail.blackpeony.com): 1 time
   60.173.11.113: 2 times
   61.174.50.216 (216.50.174.61.dial.wz.zj.dynamic.163data.com.cn): 3 times
   61.174.50.224 (224.50.174.61.dial.wz.zj.dynamic.163data.com.cn): 3 times
   61.174.51.204 (204.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 2 times
   61.174.51.209 (209.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 1 time
   61.174.51.211 (211.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 3 times
   61.174.51.216 (216.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 2 times
   61.174.51.233 (233.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 2 times
   93.63.173.228 (93-63-173-228.ip28.fastwebnet.it): 5 times
   125.210.216.25: 6 times
   211.140.18.59: 1 time

Illegal users from:
   58.241.61.162 (mail.blackpeony.com): 1 time
   61.174.50.224 (224.50.174.61.dial.wz.zj.dynamic.163data.com.cn): 6 times
   61.174.51.204 (204.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 3 times
   61.174.51.233 (233.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 3 times
   78.85.94.141 (a141.sub94.net78.udm.net): 3 times
   93.63.173.228 (93-63-173-228.ip28.fastwebnet.it): 1 time
   115.146.121.243: 2 times
   182.79.235.9: 2 times
   221.179.89.90: 2 times

As I understand it all the ipnumbers in the first part of my config should be silently dropped but that doesn't seem to be happening.

Any ideas would be appreciated.

Kevin.

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: Iptables drop not working properly

Post by gerald_clark » 2014/07/24 13:03:13

Which one was not dropped that you thought should have been?

digitalfixer
Posts: 3
Joined: 2014/06/12 11:21:17

Re: Iptables drop not working properly

Post by digitalfixer » 2014/07/24 13:31:54

Gerald

I would have expected everything from 61.174.X.X to be dropped but as the mail shows they were still getting through.

Kevin.

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: Iptables drop not working properly

Post by stevemowbray » 2014/07/24 16:06:21

To do that 61.174.0.0/24 needs to be 61.174.0.0/16 -- you have the netmask wrong.

digitalfixer
Posts: 3
Joined: 2014/06/12 11:21:17

Re: Iptables drop not working properly

Post by digitalfixer » 2014/07/25 09:23:14

Thanks Steve.

That caught some of them after I changed the config.

Kevin.

Post Reply