I am running a docker server under Ubuntu 22.04.2 with several ip addresses and container.
In my log files i see that an external ip is trying to connect to a minecraft server, that runs in a docker container.
i have added the following rules:
iptables -F INPUT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -A INPUT -s [IP-TO-BLOCK] -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] -m state --state NEW --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8880 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 25565 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 1] --dport 25565 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 10011 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 30033 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 2] --dport 9987 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 25565 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 2] --dport 25565 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 3] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 3] --dport 25565 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 3] --dport 25565 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -d [SERVER-IP 1] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -d [SERVER-IP 1] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -d [SERVER-IP 2] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -d [SERVER-IP 2] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -d [SERVER-IP 3] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -d [SERVER-IP 3] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -P INPUT DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s [SERVER-IP 1] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -s [SERVER-IP 1] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER-ISOLATION-STAGE-1 -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER-ISOLATION-STAGE-2 -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER-USER -s [IP-TO-BLOCK] -j DROP
iptables-save > /etc/iptables.up.rules
My iptables config (iptables -L) looks like this:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- [IP-TO-BLOCK] anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere localhost/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:http
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:https
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:8443
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:http-alt
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:tproxy
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:8880
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:25565
ACCEPT udp -- anywhere [SERVER-HOSTNAME 1] udp dpt:25565
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 2] tcp dpt:http
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 2] tcp dpt:10011
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 2] tcp dpt:30033
ACCEPT udp -- anywhere [SERVER-HOSTNAME 2] udp dpt:9987
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 2] tcp dpt:25565
ACCEPT udp -- anywhere [SERVER-HOSTNAME 2] udp dpt:25565
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 3] tcp dpt:http
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 3] tcp dpt:25565
ACCEPT udp -- anywhere [SERVER-HOSTNAME 3] udp dpt:25565
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 1] icmp echo-reply state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 1] icmp echo-request state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 2] icmp echo-reply state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 2] icmp echo-request state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 3] icmp echo-reply state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 3] icmp echo-request state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- [IP-TO-BLOCK] anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT icmp -- [SERVER-HOSTNAME 1] anywhere icmp echo-reply state RELATED,ESTABLISHED
ACCEPT icmp -- [SERVER-HOSTNAME 1] anywhere icmp echo-request state NEW,RELATED,ESTABLISHED
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:30033
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:https
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:10011
ACCEPT udp -- anywhere 172.17.0.2 udp dpt:9987
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:mysql
ACCEPT tcp -- anywhere 172.17.0.5 tcp dpt:9443
ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:25565
ACCEPT udp -- anywhere 172.17.0.6 udp dpt:25565
ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:25565
ACCEPT udp -- anywhere 172.17.0.7 udp dpt:25565
ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.0.8 tcp dpt:25565
ACCEPT udp -- anywhere 172.17.0.8 udp dpt:25565
ACCEPT tcp -- anywhere 172.17.0.8 tcp dpt:http
DROP all -- [IP-TO-BLOCK] anywhere
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
DROP all -- [IP-TO-BLOCK] anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
DROP all -- [IP-TO-BLOCK] anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DROP all -- [IP-TO-BLOCK] anywhere
The docker chains were created automatically and i just added the [IP-TO-BAN].
But i can see in the log files that the [IP-TO-BAN] still tries to connect to the minecraft servers in the docker containers.
In my minecraft logs i still see these lines:
[22:35:16] [Server thread/INFO]: com.mojang.authlib.GameProfile@7cb52cb8[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:59866) lost connection: Disconnected
[22:35:40] [Server thread/INFO]: com.mojang.authlib.GameProfile@2d49849a[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:54582) lost connection: Disconnected
[22:36:03] [Server thread/INFO]: com.mojang.authlib.GameProfile@38f37b9a[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:51052) lost connection: Disconnected
[22:36:18] [Server thread/INFO]: com.mojang.authlib.GameProfile@5f67d6d9[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:14578) lost connection: Disconnected
[22:36:42] [Server thread/INFO]: com.mojang.authlib.GameProfile@25321094[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:39670) lost connection: Disconnected
[22:37:04] [Server thread/INFO]: com.mojang.authlib.GameProfile@48c34dfd[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:31538) lost connection: Disconnected
[22:37:26] [Server thread/INFO]: com.mojang.authlib.GameProfile@12e6b98f[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:29874) lost connection: Disconnected
[22:37:47] [Server thread/INFO]: com.mojang.authlib.GameProfile@73d66414[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:63730) lost connection: Disconnected
[22:38:11] [Server thread/INFO]: com.mojang.authlib.GameProfile@46d56c4a[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:27370) lost connection: Disconnected
What am i doing wrong?
Thanks for your help!