Join Log in
Score:0
avatar Server

How to apply DROP rule immediately (iptables/conntrack)

cn flag
le_top

An external IP is connecting to my mailserver VM every second and I just want to block this IP immediately without dropping existing connections.

So I apply a DROP rule. I even reloaded all the iptables rules, but the external IP is still connecting to the mail server.

I used conntrack to stop existing connections.

iptables -F
iptables -X
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward

for IP in <IP_LIST> ; do
  iptables -I INPUT -s $IP -j DROP
  conntrack -D -s $IP
done

# Other rules follow (rule on INPUT are all specified to ports other than the mail ports)

# last rule
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

The result of conntrack -L -s <ATTACKERIP> is

tcp      6 10 TIME_WAIT src=<ATTACKERIP> dst=<MYIP> sport=23305 dport=587 src=10.0.1.109 dst=10.0.0.5 sport=587 dport=23305 [ASSURED] mark=0 use=1

Relevant output from

iptables -L
iptables -L -t nat

is

iptables -t nat -D PREROUTING -i vmbr0 -p tcp -d <MYPUBLICIP> --dport 587 -j DNAT --to 10.0.1.109:587

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  <ATTACKERIP>         anywhere
DNAT       tcp  --  anywhere             <MYDOMAIN>     tcp dpt:submission to:10.0.1.109:587

What else should I do to DROP new connections immediately?

160
2 + 8
paladin avatar
id flag
paladin
I'm not an iptables expert, but shouldn't you not already drop the package at the input table? NAT table seems to be already too late. https://phoenixnap.com/kb/iptables-tutorial-linux-firewall
0
Reply
cn flag
le_top
Thank you for the feedback - I am dropping it at the INPUT table. ` iptables -I INPUT -s $IP -j DROP`
0
Reply
paladin avatar
id flag
paladin
I'm sorry, I was blinded by my stupidity. ^^
0
Reply
cn flag
le_top
No problem, we all go too fast sometimes. The attacker has now gone away, but I am still puzzled.
0
Reply
paladin avatar
id flag
paladin
In your other rules `# Other rules follow`, is there any rule which begins with `iptables -I INPUT`? If so, it would help if you would share that rule to us. I'm asking, because that command is always inserting itself on top of the rule chain. This means, the last used insert is the most dominant insert. That also means, that your blacklist should be added at the end of your iptables setup-script and not at the beginning.
0
Reply
cn flag
le_top
I added the rule that I have last `iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT` - the other rules on the INPUT are for unrelated ports. I tried to delete the established connections using conntrack and I had the impression in a past experience that the worked to "forget" routes.
0
Reply
paladin avatar
id flag
paladin
I'm pretty sure you are not really sure how iptables chains work. I'm asking for the `iptables -I INPUT`, the `-I` stands for `--insert`. If you using any other `--insert` you need to be really sure that those rules don't conflict with your blacklist. This means, ANY command after, which begins with `iptables -I INPUT` might conflict. It would be best to execute your blacklist commands as the last iptables command, even if you think you are doing everything right. Your blacklist rule commands need to be executed AFTER all other iptables rule commands so they become the first rule in chain.
0
Reply
cn flag
le_top
I agree that I do not know every thing about iptables, but I understood that I need to add these DROP rules at the end and you clarify that this is because of the --insert. All `iptables -I INPUT` rules are DROP rules. When I added the DROP rule from the CLI, the attacking IP could still connect (and adding it from the CLI is "adding" the blacklist after everything else).
0
Reply
Score:2
HBruijn avatar Server
in flag
HBruijn

It looks like your using NAT to forward traffic to your mail server.

Then adding filter rules to the INPUT chain to filter that NAT traffic is not effective, as rules in the INPUT chain only apply to traffic destined for processes running on the same system running the iptables firewall and not the traffic that gets forwarded.

IIRC your rules should be in for example FORWARD chain.

See the diagram below from https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/ for context.

https://stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png

+ 1
cn flag
le_top
I have not tested yet, but yes I am natting traffic to the mail server so this explication makes perfectly sense. The Flowchart is great - never seen one before for iptables!. So I'll add a rule on the FORWARD chain as well in my for loop. Thanks a lot!
0
Reply
Score:0
Mitya avatar Server
sr flag
Mitya

when you do an:

iptables -nL INPUT

Are the DROPping rules the first ?

+ 3
cn flag
le_top
Yes they are the first.
0
Reply
Mitya avatar
sr flag
Mitya
It seems that you are forwarding packets to the mailserver, that was not clear I think. In that case, packets does not go into the INPUT chain. You need to DROP the packets in the FORWARD chain.
0
Reply
cn flag
le_top
I am not saying that it was obvious, but I did mention the NAT rule in my question. The iptables flowchart makes things clear.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.