iptables probléma

Szia!

centos 6.4 virtuális gépemen mintha nem működne egy host kitiltása...

arno-iptables firewall van fenn, hiába teszem be a blocked-host-ba az IP-t (31.222.133.87)
Továbbra is ömlenek a csomagok onnan.

iptables -A INPUT -i eth0 -s 31.222.133.87 -j DROP
és iptables -A INPUT -i eth0:0 -s 31.222.133.87 -j DROP

után is...

Van ötletetek?

csucsu

"Van ötletetek?"
Például az, hogy a sorrendben előrébb lévő szabályok egyike átengedi. Tedd a szabályrendszer elejére, vagy használd a -A helyett a -I opciót.

De megnézheted hogy mi a gond, ha kilistázod a szabályokat: iptables -nvL INPUT .

"INPUT -i eth0:0"
Megjegyzés: ilyen gyakorlatilag nincs, mivel eth0 az eszköz. (Az IP alias használata már elég régóta nem ajánlott.)

0 szavazat

A hozzászóláshoz be kell jelentkezni

[root@host83 log]# iptables -nvL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
96 5702 fail2ban-Named tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,953
149K 27M BASE_INPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
5198 544K INPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
5198 544K HOST_BLOCK_SRC all -- * * 0.0.0.0/0 0.0.0.0/0
5198 544K SPOOF_CHK all -- * * 0.0.0.0/0 0.0.0.0/0
5195 543K VALID_CHK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
5156 542K EXT_INPUT_CHAIN !icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
1 28 EXT_INPUT_CHAIN icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 60/sec burst 100
0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 POST_INPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 7 prefix `AIF:Dropped INPUT packet: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 31.222.133.87 0.0.0.0/0
0 0 DROP all -- eth0 * 31.222.133.87 0.0.0.0/0
0 0 DROP all -- eth0:0 * 31.222.133.87 0.0.0.0/0
0 0 DROP all -- eth0 * 31.222.133.87 0.0.0.0/0

0 szavazat

A hozzászóláshoz be kell jelentkezni

Ebből te is láthatod, hogy a legutolsó sorokban lévő DROP mit sem ér, mivel a LOG utáni DROP-nál már eldobtál mindent. A hivatkozott chainek tartalma mi? Mert a legelső DROP-hoz sem érkezett el eddig semmi. Tehát nézd át a többi hivatkozott chaint is.

0 szavazat

A hozzászóláshoz be kell jelentkezni

Nem lehet, hogy a HOST_BLOCK_SRC-nek kéne legelől állnia?

[root@host83 arno-iptables-firewall]# Chain INPUT (policy DROP 0 packets, pkts bytes target prot opt in 9155 604K DROP all -- eth0 * 126 7532 fail2ban-Named tcp -- * * 189K 33M BASE_INPUT_CHAIN all -- * * 6893 712K INPUT_CHAIN all -- * * 6893 712K HOST_BLOCK_SRC all -- * * 6893 712K SPOOF_CHK all -- * * 6890 712K VALID_CHK all -- eth0 * 6848 710K EXT_INPUT_CHAIN !icmp -- eth0 * 1 28 EXT_INPUT_CHAIN icmp -- eth0 * 0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 0 0 POST_INPUT_CHAIN all -- * * 0 0 LOG all -- * * 0 0 DROP all -- * * 0 0 DROP all -- * * 0 0 DROP all -- eth0 * 0 0 DROP all -- eth0:0 * 0 0 DROP all -- eth0 * iptables -nvL
0 bytes)
out source destination
31.222.133.87 0.0.0.0/0
0.0.0.0/0 0.0.0.0/0 multiport dports 53,953
0.0.0.0/0 0.0.0.0/0
0.0.0.0/0 0.0.0.0/0
0.0.0.0/0 0.0.0.0/0
0.0.0.0/0 0.0.0.0/0
0.0.0.0/0 0.0.0.0/0
0.0.0.0/0 0.0.0.0/0 state NEW
0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 60/sec burst 100
* 0.0.0.0/0 0.0.0.0/0 state NEW
0.0.0.0/0 0.0.0.0/0
0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 7 prefix `AIF:Dropped INPUT packet: '
0.0.0.0/0 0.0.0.0/0
31.222.133.87 0.0.0.0/0
31.222.133.87 0.0.0.0/0
31.222.133.87 0.0.0.0/0
31.222.133.87 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 BASE_FORWARD_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 TCPMSS tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 FORWARD_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 HOST_BLOCK_SRC all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 HOST_BLOCK_DST all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 EXT_FORWARD_IN_CHAIN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 EXT_FORWARD_OUT_CHAIN all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 SPOOF_CHK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 POST_FORWARD_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 3 LOG flags 0 level 7 prefix `AIF:Dropped FORWARD packet: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
192K 24M BASE_OUTPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
330 19800 TCPMSS tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
14395 1020K OUTPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
14389 1019K HOST_BLOCK_DST all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `AIF:Fragment packet: '
0 0 DROP all -f * * 0.0.0.0/0 0.0.0.0/0
14389 1019K EXT_OUTPUT_CHAIN all -- * eth0 0.0.0.0/0 0.0.0.0/0
14389 1019K POST_OUTPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
14389 1019K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain BASE_FORWARD_CHAIN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED tcp dpts:1024:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED udp dpts:1024:65535
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

Chain BASE_INPUT_CHAIN (1 references)
pkts bytes target prot opt in out source destination
182K 33M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED tcp dpts:1024:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED udp dpts:1024:65535
25 3946 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
105 6300 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

Chain BASE_OUTPUT_CHAIN (1 references)
pkts bytes target prot opt in out source destination
178K 23M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
105 6300 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

Chain DMZ_FORWARD_IN_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain DMZ_FORWARD_OUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain DMZ_INET_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain DMZ_INPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain DMZ_LAN_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain DMZ_OUTPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain EXT_BROADCAST_CHAIN (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:PRIV TCP broadcast: '
292 95776 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:PRIV UDP broadcast: '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:UNPRIV TCP broadcast: '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1024 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:UNPRIV UDP broadcast: '
2216 428K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain EXT_FORWARD_IN_CHAIN (1 references)
pkts bytes target prot opt in out source destination
0 0 VALID_CHK all -- * * 0.0.0.0/0 0.0.0.0/0

Chain EXT_FORWARD_OUT_CHAIN (1 references)
pkts bytes target prot opt in out source destination

Chain EXT_ICMP_FLOOD_CHAIN (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 limit: avg 12/hour burst 1 LOG flags 0 level 7 prefix `AIF:ICMP-unreachable flood: '
0 0 POST_INPUT_DROP_CHAIN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 limit: avg 12/hour burst 1 LOG flags 0 level 7 prefix `AIF:ICMP-time-exceeded fld: '
0 0 POST_INPUT_DROP_CHAIN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 limit: avg 12/hour burst 1 LOG flags 0 level 7 prefix `AIF:ICMP-param-problem fld: '
0 0 POST_INPUT_DROP_CHAIN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 12/hour burst 1 LOG flags 0 level 7 prefix `AIF:ICMP-request(ping) fld: '
0 0 POST_INPUT_DROP_CHAIN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 12/hour burst 1 LOG flags 0 level 7 prefix `AIF:ICMP-reply(pong) flood: '
0 0 POST_INPUT_DROP_CHAIN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 limit: avg 12/hour burst 1 LOG flags 0 level 7 prefix `AIF:ICMP-source-quench fld: '
0 0 POST_INPUT_DROP_CHAIN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 12/hour burst 1 LOG flags 0 level 7 prefix `AIF:ICMP(other) flood: '
0 0 POST_INPUT_DROP_CHAIN icmp -- * * 0.0.0.0/0 0.0.0.0/0

Chain EXT_INPUT_CHAIN (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix `AIF:Port 0 OS fingerprint: '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix `AIF:Port 0 OS fingerprint: '
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:0
0 0 POST_INPUT_DROP_CHAIN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 7 prefix `AIF:TCP source port 0: '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 7 prefix `AIF:UDP source port 0: '
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0
0 0 POST_INPUT_DROP_CHAIN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:0
0 0 LOG tcp -- + * 178.219.244.145 0.0.0.0/0 tcp dpt:53 limit: avg 1/hour burst 1 LOG flags 0 level 7 prefix `AIF:Hostwise TCP rejected: '
0 0 REJECT tcp -- + * 178.219.244.145 0.0.0.0/0 tcp dpt:53 reject-with tcp-reset
0 0 LOG tcp -- + * 186.2.165.3 0.0.0.0/0 tcp dpt:53 limit: avg 1/hour burst 1 LOG flags 0 level 7 prefix `AIF:Hostwise TCP rejected: '
0 0 REJECT tcp -- + * 186.2.165.3 0.0.0.0/0 tcp dpt:53 reject-with tcp-reset
0 0 LOG udp -- + * 178.219.244.145 0.0.0.0/0 udp dpt:53 limit: avg 1/hour burst 1 LOG flags 0 level 7 prefix `AIF:Hostwise UDP rejected: '
0 0 REJECT udp -- + * 178.219.244.145 0.0.0.0/0 udp dpt:53 reject-with icmp-host-unreachable
0 0 LOG udp -- + * 186.2.165.3 0.0.0.0/0 udp dpt:53 limit: avg 1/hour burst 1 LOG flags 0 level 7 prefix `AIF:Hostwise UDP rejected: '
0 0 REJECT udp -- + * 186.2.165.3 0.0.0.0/0 udp dpt:53 reject-with icmp-host-unreachable
4054 243K ACCEPT tcp -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
92 4604 ACCEPT tcp -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
24 1536 ACCEPT tcp -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
36 2160 ACCEPT tcp -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
63 3780 ACCEPT tcp -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
2 120 ACCEPT tcp -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
42 2520 ACCEPT tcp -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
46 2756 ACCEPT tcp -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
208 14842 ACCEPT udp -- + * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
1 28 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 20/sec burst 100
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 flags:!0x17/0x02 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `AIF:Stealth scan? (UNPRIV): '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 flags:!0x17/0x02 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `AIF:Stealth scan? (PRIV): '
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
2216 428K EXT_BROADCAST_CHAIN all -- * * 0.0.0.0/0 255.255.255.255
23 736 EXT_MULTICAST_CHAIN all -- * * 0.0.0.0/0 224.0.0.0/4
9 532 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:PRIV TCP packet: '
24 4660 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:PRIV UDP packet: '
7 360 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:UNPRIV TCP packet: '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:UNPRIV UDP packet: '
0 0 LOG 2 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 5 LOG flags 0 level 7 prefix `AIF:IGMP packet: '
42 5678 POST_INPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 3/min burst 1 LOG flags 0 level 7 prefix `AIF:ICMP-request: '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp !type 8 limit: avg 12/hour burst 1 LOG flags 0 level 7 prefix `AIF:ICMP-other: '
17 940 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0
25 4738 POST_INPUT_DROP_CHAIN udp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 POST_INPUT_DROP_CHAIN 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 POST_INPUT_DROP_CHAIN icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 5 LOG flags 0 level 7 prefix `AIF:Other connect: '
0 0 POST_INPUT_DROP_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain EXT_MULTICAST_CHAIN (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:PRIV TCP multicast: '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:PRIV UDP multicast: '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:UNPRIV TCP multicast: '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1024 limit: avg 6/min burst 2 LOG flags 0 level 7 prefix `AIF:UNPRIV UDP multicast: '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 3/min burst 1 LOG flags 0 level 7 prefix `AIF:ICMP-multicast-request: '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp !type 8 limit: avg 12/hour burst 1 LOG flags 0 level 7 prefix `AIF:ICMP-multicast-other: '
23 736 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain EXT_OUTPUT_CHAIN (1 references)
pkts bytes target prot opt in out source destination

Chain FORWARD_CHAIN (1 references)
pkts bytes target prot opt in out source destination

Chain HOST_BLOCK_DROP (6 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `AIF:Blocked host(s): '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain HOST_BLOCK_DST (2 references)
pkts bytes target prot opt in out source destination
0 0 HOST_BLOCK_DROP all -- * * 0.0.0.0/0 186.2.165.3
0 0 HOST_BLOCK_DROP all -- * * 0.0.0.0/0 186.2.165.3
0 0 HOST_BLOCK_DROP all -- * * 0.0.0.0/0 178.219.244.145

Chain HOST_BLOCK_SRC (2 references)
pkts bytes target prot opt in out source destination
0 0 HOST_BLOCK_DROP all -- * * 186.2.165.3 0.0.0.0/0
0 0 HOST_BLOCK_DROP all -- * * 186.2.165.3 0.0.0.0/0
0 0 HOST_BLOCK_DROP all -- * * 178.219.244.145 0.0.0.0/0

Chain INET_DMZ_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain INPUT_CHAIN (1 references)
pkts bytes target prot opt in out source destination

Chain INT_FORWARD_IN_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain INT_FORWARD_OUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain INT_INPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain INT_OUTPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain LAN_INET_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination

Chain OUTPUT_CHAIN (1 references)
pkts bytes target prot opt in out source destination

Chain POST_FORWARD_CHAIN (1 references)
pkts bytes target prot opt in out source destination

Chain POST_INPUT_CHAIN (2 references)
pkts bytes target prot opt in out source destination

Chain POST_INPUT_DROP_CHAIN (27 references)
pkts bytes target prot opt in out source destination
83 7338 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain POST_OUTPUT_CHAIN (1 references)
pkts bytes target prot opt in out source destination

Chain RESERVED_NET_CHK (0 references)
pkts bytes target prot opt in out source destination

Chain SPOOF_CHK (2 references)
pkts bytes target prot opt in out source destination
6893 712K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain VALID_CHK (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `AIF:Stealth XMAS scan: '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `AIF:Stealth XMAS-PSH scan: '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `AIF:Stealth XMAS-ALL scan: '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `AIF:Stealth FIN scan: '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `AIF:Stealth SYN/RST scan: '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `AIF:Stealth SYN/FIN scan?: '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `AIF:Stealth Null scan: '
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp option=64 limit: avg 3/min burst 1 LOG flags 0 level 7 prefix `AIF:Bad TCP flag(64): '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp option=128 limit: avg 3/min burst 1 LOG flags 0 level 7 prefix `AIF:Bad TCP flag(128): '
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp option=64
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp option=128
41 1660 POST_INPUT_DROP_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LOG all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 1 LOG flags 0 level 4 prefix `AIF:Fragment packet: '
0 0 DROP all -f * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-Named (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 5.135.100.90 0.0.0.0/0
0 0 DROP all -- * * 31.222.133.87 0.0.0.0/0
0 0 DROP all -- * * 31.222.133.87 0.0.0.0/0
126 7532 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 207.182.146.27 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

0 szavazat

A hozzászóláshoz be kell jelentkezni

Na így már jó. Első szabályként eldobod az adott forrás IP-jű csomagokat. Ugye most úgy működik, ahogy szeretnéd?

"Nem lehet, hogy a HOST_BLOCK_SRC-nek kéne legelől állnia?"
Jelen állapotában jónak tűnik a sorrend, a BASE_INPUT_CHAIN az ESTABLISHED és RELATED, valamint a loopback forrású csomagokat kezeli le; az INPUT_CHAIN üres, ezután következik a HOST_BLOCK_SRC. Ebben viszont nincs ott a 31.222.133.87, más viszont duplán is. Ha ide teszed, akkor az új kapcsolatokra lesz érvényes.

0 szavazat

A hozzászóláshoz be kell jelentkezni

Úgy néz ki most jól működik, szerintem a fail2ban és az arno nem nagyon jött ki egymással. Sztem az arno-t kell előbb indítani, utána a fail2ban-t...

Köszi a segítséget! :)

0 szavazat

A hozzászóláshoz be kell jelentkezni

iptables probléma

Hozzászólások