Iptables doesn't block UDP in INPUT chain

Issues related to configuring your network
Post Reply
igro
Posts: 77
Joined: 2010/08/27 00:41:25

Iptables doesn't block UDP in INPUT chain

Post by igro » 2015/08/12 05:32:20

Hi!
Can't block any udp port in input chain but it work how i expect in output chain.
Table filter:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
424 331K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
6 710 ACCEPT icmp -- eth0.100 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth0.100 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
3 252 ACCEPT icmp -- eth0.100 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth0.100 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- eth0.110 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth0.110 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- eth0.110 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth0.110 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- eth0.400 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth0.400 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- eth0.400 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth0.400 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- eth0.500 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth0.500 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- eth0.500 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth0.500 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
1454 187K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53
2241 147K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:123
23 2922 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
38748 24M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
92294 138M ACCEPT tcp -- eth0.100 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
23 11028 ACCEPT tcp -- eth0.100 * 0.0.0.0/0 0.0.0.0/0 tcp spt:443
226 16060 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
98 18443 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:587
38 2672 ACCEPT tcp -- * * 10.14.0.6 0.0.0.0/0 tcp spt:3493
0 0 ACCEPT tcp -- * * 10.14.0.9 0.0.0.0/0 tcp spt:389
0 0 ACCEPT tcp -- * * 10.14.0.9 0.0.0.0/0 tcp spt:636
763 151K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
424 331K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 554 ACCEPT icmp -- * eth0.100 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * eth0.100 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * eth0.100 0.0.0.0/0 0.0.0.0/0 icmp type 0
3 252 ACCEPT icmp -- * eth0.100 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * eth0.110 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * eth0.110 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * eth0.110 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * eth0.110 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * eth0.400 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * eth0.400 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * eth0.400 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * eth0.400 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * eth0.500 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * eth0.500 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * eth0.500 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * eth0.500 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
1469 106K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
2212 304K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
17 2260 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
104K 140M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443
70598 2878K ACCEPT tcp -- * eth0.100 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
28 6563 ACCEPT tcp -- * eth0.100 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
179 22980 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
77 27511 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
76 4104 ACCEPT tcp -- * * 0.0.0.0/0 10.14.0.6 tcp dpt:3493
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.14.0.9 tcp dpt:389
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.14.0.9 tcp dpt:636
153 49685 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Checking ossec port from 10.14.0.117:
nc -vzu 10.14.0.4 1514
Connection to 10.14.0.4 1514 port [udp/*] succeeded!
Checking the same from 10.14.0.4:
ifconfig eth0.100
eth0.100 Link encap:Ethernet HWaddr 00:E0:4C:C0:8D:C3
inet addr:10.14.0.4 Bcast:10.14.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1339333 errors:0 dropped:0 overruns:0 frame:0
TX packets:1563239 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1342695741 (1.2 GiB) TX bytes:1250695920 (1.1 GiB)

nc -vzu 10.14.0.6 1514
[nothing happens]
Table nat:
Chain PREROUTING (policy ACCEPT 40769 packets, 3741K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 27705 packets, 1986K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 27759 packets, 1991K bytes)
pkts bytes target prot opt in out source destination
Table mangle:
Chain PREROUTING (policy ACCEPT 1214K packets, 1319M bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 1212K packets, 1319M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1468K packets, 1211M bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1467K packets, 1211M bytes)
pkts bytes target prot opt in out source destination
Table raw:
Chain PREROUTING (policy ACCEPT 15 packets, 970 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 11 packets, 1439 bytes)
pkts bytes target prot opt in out source destination
Interfaces:
eth0 Link encap:Ethernet HWaddr 00:E0:4C:C0:8D:C3
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34928113 errors:5305 dropped:6355 overruns:2982 frame:0
TX packets:39792052 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23562665587 (21.9 GiB) TX bytes:34757292068 (32.3 GiB)
Interrupt:20 Base address:0xe000

eth0.100 Link encap:Ethernet HWaddr 00:E0:4C:C0:8D:C3
inet addr:10.14.0.4 Bcast:10.14.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1341091 errors:0 dropped:0 overruns:0 frame:0
TX packets:1565011 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1342887479 (1.2 GiB) TX bytes:1251806227 (1.1 GiB)

eth0.110 Link encap:Ethernet HWaddr 00:E0:4C:C0:8D:C3
inet addr:10.14.2.4 Bcast:10.14.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8514 errors:0 dropped:0 overruns:0 frame:0
TX packets:3638 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:794204 (775.5 KiB) TX bytes:457998 (447.2 KiB)

eth0.400 Link encap:Ethernet HWaddr 00:E0:4C:C0:8D:C3
inet addr:10.14.4.4 Bcast:10.14.4.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:529 errors:0 dropped:0 overruns:0 frame:0
TX packets:214 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:44969 (43.9 KiB) TX bytes:27584 (26.9 KiB)

eth0.500 Link encap:Ethernet HWaddr 00:E0:4C:C0:8D:C3
inet addr:10.14.5.4 Bcast:10.14.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:192 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24558 (23.9 KiB) TX bytes:2749 (2.6 KiB)

eth0.600 Link encap:Ethernet HWaddr 00:E0:4C:C0:8D:C3
inet addr:10.14.6.4 Bcast:10.14.6.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:455 errors:0 dropped:0 overruns:0 frame:0
TX packets:279 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24586 (24.0 KiB) TX bytes:43202 (42.1 KiB)

eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:C0:8D:C3
inet addr:10.14.3.1 Bcast:10.14.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:20 Base address:0xe000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1336475 errors:0 dropped:0 overruns:0 frame:0
TX packets:1336475 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1104498836 (1.0 GiB) TX bytes:1104498836 (1.0 GiB)
Modules list:
lsmod|grep ipt
ipt_LOG 5845 0
iptable_raw 2264 0
iptable_mangle 3349 0
iptable_nat 6051 0
nf_nat 23316 1 iptable_nat
nf_conntrack_ipv4 9506 3 iptable_nat,nf_nat
iptable_filter 2793 1
ip_tables 17831 4 iptable_raw,iptable_mangle,iptable_nat,iptable_filter
nf_conntrack 80646 5 iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
ipt_REJECT 2351 0
How can i diagnose what's wrong?
Top
Post Reply

Return to “CentOS 7 - Networking Support”