Join Log in
Score:0
Epyx avatar Ubuntu

Tried to block an ip address to my server and docker containers

vu flag
Epyx

I am running a docker server under Ubuntu 22.04.2 with several ip addresses and container.

In my log files i see that an external ip is trying to connect to a minecraft server, that runs in a docker container.

i have added the following rules:

iptables -F INPUT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -A INPUT -s [IP-TO-BLOCK] -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] -m state --state NEW --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8880 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 25565 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 1] --dport 25565 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 10011 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 30033 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 2] --dport 9987 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 25565 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 2] --dport 25565 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 3] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 3] --dport 25565 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 3] --dport 25565 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -d [SERVER-IP 1] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -d [SERVER-IP 1] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -d [SERVER-IP 2] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -d [SERVER-IP 2] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -d [SERVER-IP 3] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -d [SERVER-IP 3] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -P INPUT DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s [SERVER-IP 1] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -s [SERVER-IP 1] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER-ISOLATION-STAGE-1 -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER-ISOLATION-STAGE-2 -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER-USER -s [IP-TO-BLOCK] -j DROP
iptables-save > /etc/iptables.up.rules

My iptables config (iptables -L) looks like this:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  [IP-TO-BLOCK]        anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             localhost/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 1]  state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 1]  tcp dpt:http
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 1]  tcp dpt:https
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 1]  tcp dpt:8443
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 1]  tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 1]  tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 1]  tcp dpt:8880
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 1]  tcp dpt:25565
ACCEPT     udp  --  anywhere             [SERVER-HOSTNAME 1]  udp dpt:25565
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 2]  tcp dpt:http
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 2]  tcp dpt:10011
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 2]  tcp dpt:30033
ACCEPT     udp  --  anywhere             [SERVER-HOSTNAME 2]  udp dpt:9987
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 2]  tcp dpt:25565
ACCEPT     udp  --  anywhere             [SERVER-HOSTNAME 2]  udp dpt:25565
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 3]  tcp dpt:http
ACCEPT     tcp  --  anywhere             [SERVER-HOSTNAME 3]  tcp dpt:25565
ACCEPT     udp  --  anywhere             [SERVER-HOSTNAME 3]  udp dpt:25565
ACCEPT     icmp --  anywhere             [SERVER-HOSTNAME 1]  icmp echo-reply state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             [SERVER-HOSTNAME 1]  icmp echo-request state NEW,RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             [SERVER-HOSTNAME 2]  icmp echo-reply state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             [SERVER-HOSTNAME 2]  icmp echo-request state NEW,RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             [SERVER-HOSTNAME 3]  icmp echo-reply state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             [SERVER-HOSTNAME 3]  icmp echo-request state NEW,RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  [IP-TO-BLOCK]        anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     icmp --  [SERVER-HOSTNAME 1]  anywhere             icmp echo-reply state RELATED,ESTABLISHED
ACCEPT     icmp --  [SERVER-HOSTNAME 1]  anywhere             icmp echo-request state NEW,RELATED,ESTABLISHED

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:30033
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:10011
ACCEPT     udp  --  anywhere             172.17.0.2           udp dpt:9987
ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:mysql
ACCEPT     tcp  --  anywhere             172.17.0.5           tcp dpt:9443
ACCEPT     tcp  --  anywhere             172.17.0.6           tcp dpt:25565
ACCEPT     udp  --  anywhere             172.17.0.6           udp dpt:25565
ACCEPT     tcp  --  anywhere             172.17.0.6           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.17.0.7           tcp dpt:25565
ACCEPT     udp  --  anywhere             172.17.0.7           udp dpt:25565
ACCEPT     tcp  --  anywhere             172.17.0.7           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.17.0.8           tcp dpt:25565
ACCEPT     udp  --  anywhere             172.17.0.8           udp dpt:25565
ACCEPT     tcp  --  anywhere             172.17.0.8           tcp dpt:http
DROP       all  --  [IP-TO-BLOCK]        anywhere

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
DROP       all  --  [IP-TO-BLOCK]        anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
DROP       all  --  [IP-TO-BLOCK]        anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DROP       all  --  [IP-TO-BLOCK]        anywhere

The docker chains were created automatically and i just added the [IP-TO-BAN].

But i can see in the log files that the [IP-TO-BAN] still tries to connect to the minecraft servers in the docker containers.

In my minecraft logs i still see these lines:

[22:35:16] [Server thread/INFO]: com.mojang.authlib.GameProfile@7cb52cb8[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:59866) lost connection: Disconnected
[22:35:40] [Server thread/INFO]: com.mojang.authlib.GameProfile@2d49849a[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:54582) lost connection: Disconnected
[22:36:03] [Server thread/INFO]: com.mojang.authlib.GameProfile@38f37b9a[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:51052) lost connection: Disconnected
[22:36:18] [Server thread/INFO]: com.mojang.authlib.GameProfile@5f67d6d9[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:14578) lost connection: Disconnected
[22:36:42] [Server thread/INFO]: com.mojang.authlib.GameProfile@25321094[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:39670) lost connection: Disconnected
[22:37:04] [Server thread/INFO]: com.mojang.authlib.GameProfile@48c34dfd[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:31538) lost connection: Disconnected
[22:37:26] [Server thread/INFO]: com.mojang.authlib.GameProfile@12e6b98f[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:29874) lost connection: Disconnected
[22:37:47] [Server thread/INFO]: com.mojang.authlib.GameProfile@73d66414[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:63730) lost connection: Disconnected
[22:38:11] [Server thread/INFO]: com.mojang.authlib.GameProfile@46d56c4a[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:27370) lost connection: Disconnected

What am i doing wrong?

Thanks for your help!

114
0 + 1
Terrance avatar
id flag
Terrance
I would use `REJECT` instead of `DROP` as packets could still hang on and not close the connection right away. Rejecting they get an instant message that tells them they were rejected and the connection closes instantly. Regardless, you are going to see the IP in the log files as it keeps track of any attempt.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.