Iptables did not work

Captain · Apr 26, 2011

Hello!

I block one IP:

Code:

root@srv:~# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
fail2ban-courierauth  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 25,465,143,220,993,110,995
fail2ban-postfix  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 25,465
DROP       tcp  --  0.0.0.0/0            127.0.0.0/8
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  224.0.0.0/4          0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
PUB_IN     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  189.61.231.168       0.0.0.0/0
DROP       tcp  --  189.61.231.168       0.0.0.0/0           tcp dpt:25
DROP       tcp  --  189.61.231.168       0.0.0.0/0           tcp dpt:110
DROP       tcp  --  189.61.231.168       0.0.0.0/0           tcp dpt:143

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0
PUB_OUT    all  --  0.0.0.0/0            0.0.0.0/0

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain PAROLE (10 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain PUB_IN (4 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:81
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
PAROLE     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
DROP       icmp --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain PUB_OUT (4 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-apache (0 references)
target     prot opt source               destination

Chain fail2ban-courierauth (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-postfix (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-proftpd (0 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

But in auth.log and mail.log I see failed connection:
mail.warn

Code:

Apr 26 21:01:17 srv postfix/smtpd[30134]: warning: unknown[189.61.231.168]: SASL LOGIN authentication failed: authentication failure
Apr 26 21:02:23 srv postfix/smtpd[30134]: last message repeated 13 times
Apr 26 21:03:14 srv postfix/smtpd[30134]: last message repeated 6 times
Apr 26 21:03:14 srv postfix/smtpd[30134]: warning: 189.61.231.168: hostname bd3de7a8.virtua.com.br verification failed: Name or service not known
Apr 26 21:03:17 srv postfix/smtpd[30134]: warning: unknown[189.61.231.168]: SASL LOGIN authentication failed: authentication failure
Apr 26 21:04:23 srv postfix/smtpd[30134]: last message repeated 13 times
Apr 26 21:05:16 srv postfix/smtpd[30134]: last message repeated 6 times
Apr 26 21:05:16 srv postfix/smtpd[30134]: warning: 189.61.231.168: hostname bd3de7a8.virtua.com.br verification failed: Name or service not known
Apr 26 21:05:20 srv postfix/smtpd[30134]: warning: unknown[189.61.231.168]: SASL LOGIN authentication failed: authentication failure
Apr 26 21:06:22 srv postfix/smtpd[30134]: last message repeated 12 times
Apr 26 21:07:19 srv postfix/smtpd[30134]: last message repeated 7 times
Apr 26 21:07:19 srv postfix/smtpd[30134]: warning: 189.61.231.168: hostname bd3de7a8.virtua.com.br verification failed: Name or service not known
Apr 26 21:07:22 srv postfix/smtpd[30134]: warning: unknown[189.61.231.168]: SASL LOGIN authentication failed: authentication failure
Apr 26 21:08:28 srv postfix/smtpd[30134]: last message repeated 13 times
Apr 26 21:09:19 srv postfix/smtpd[30134]: last message repeated 6 times
Apr 26 21:09:19 srv postfix/smtpd[30134]: warning: 189.61.231.168: hostname bd3de7a8.virtua.com.br verification failed: Name or service not known
Apr 26 21:09:22 srv postfix/smtpd[30134]: warning: unknown[189.61.231.168]: SASL LOGIN authentication failed: authentication failure
Apr 26 21:10:29 srv postfix/smtpd[30134]: last message repeated 13 times
Apr 26 21:11:22 srv postfix/smtpd[30134]: last message repeated 6 times
Apr 26 21:11:22 srv postfix/smtpd[30134]: warning: 189.61.231.168: hostname bd3de7a8.virtua.com.br verification failed: Name or service not known
Apr 26 21:11:25 srv postfix/smtpd[30134]: warning: unknown[189.61.231.168]: SASL LOGIN authentication failed: authentication failure
Apr 26 21:12:26 srv postfix/smtpd[30134]: last message repeated 12 times
Apr 26 21:13:28 srv postfix/smtpd[30134]: last message repeated 7 times
Apr 26 21:13:28 srv postfix/smtpd[30134]: warning: 189.61.231.168: hostname bd3de7a8.virtua.com.br verification failed: Name or service not known
Apr 26 21:13:31 srv postfix/smtpd[30134]: warning: unknown[189.61.231.168]: SASL LOGIN authentication failed: authentication failure
Apr 26 21:14:37 srv postfix/smtpd[30134]: last message repeated 13 times
Apr 26 21:15:29 srv postfix/smtpd[30134]: last message repeated 6 times
Apr 26 21:15:29 srv postfix/smtpd[30134]: warning: 189.61.231.168: hostname bd3de7a8.virtua.com.br verification failed: Name or service not known

How I can block this connection?

Thnk you!

Ben · Apr 27, 2011

How did you setup this manual rule? What I am missing is e.g. the state for New and Established connections in the drop rule.

It looks like you are running fail2ban, but it seams that it does not block these attempts automatically?!

Captain · Apr 27, 2011

To block this IP adress I use:

Code:

iptables -A INPUT -s 189.61.231.168 -j DROP
iptables -A INPUT -s 189.61.231.168 -p tcp --destination-port 25 -j DROP

Yes I have fail2ban. I see in config file that sasl chack is disable.
Now I enable it. But why dont work IP tables rules for this IP?

I restart fail2ban and i fail2ban.log:

Code:

2011-04-27 23:04:00,279 fail2ban.actions.action: ERROR  iptables -N fail2ban-couriersmtp
iptables -A fail2ban-couriersmtp -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp -j fail2ban-couriersmtp returned 200
2011-04-27 23:04:00,280 fail2ban.jail   : INFO   Jail 'apache' started
2011-04-27 23:04:00,281 fail2ban.jail   : INFO   Jail 'courierauth' started
2011-04-27 23:04:00,283 fail2ban.jail   : INFO   Jail 'proftpd' started
2011-04-27 23:04:00,284 fail2ban.actions.action: ERROR  iptables -N fail2ban-postfix
iptables -A fail2ban-postfix -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp -j fail2ban-postfix returned 200
2011-04-27 23:04:00,287 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s -j fail2ban-sasl returned 400
2011-04-27 23:04:00,289 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 400
2011-04-27 23:04:00,290 fail2ban.actions.action: ERROR  iptables -N fail2ban-apache
iptables -A fail2ban-apache -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache returned 200
2011-04-27 23:04:00,290 fail2ban.actions.action: ERROR  iptables -N fail2ban-proftpd
iptables -A fail2ban-proftpd -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd returned 200

How I can to solve this problem?

Thnks for help.

neobcn · Jul 19, 2011

not blocking

I have problem i need block certains IP i put this:
HTML:
iptables -A INPUT -s 189.61.231.168 -j DROP
iptables -A INPUT -s 189.61.231.168 -p tcp --destination-port 25 -j DROP
but not block specially port 80

fail2ban is ok?

please help

8omas · Jul 31, 2011

Have a look at:
http://www.howtoforge.com/forums/showthread.php?t=51599

Maybe this helps you

Log in or Sign up

Iptables did not work

Captain Member

Ben Active Member Moderator

Captain Member

neobcn New Member

8omas Member HowtoForge Supporter

Share This Page

Log in or Sign up

Iptables did not work

Captain Member

Ben Active Member Moderator

Captain Member

neobcn New Member

8omas Member HowtoForge Supporter

Share This Page

Useful Searches