[SOLVED] Can not block IP-address with iptables, please help

esud · 2017-05-22 10:35:16

Hello,

I want to protect my server from one spammer and block the IP-address (including the whole subnet) which access my server.
In internet I read many tutorials which recomment to block IP subnet with this command:

iptables -I INPUT -s 45.32.73.0/24 -j DROP

However, when I execute this command, it does not work. This IP still can access my server.

I think the problem is that I use virtual container (LXC) on my host system. And to make this
container accessable via public IP I already configured some iptables NAT rules.
So, maybe the above command is not compatible with this rules.

Here is the output of iptables-save including block command which does not work:

# iptables-save
# Generated by iptables-save v1.6.0 on Mon May 22 12:19:43 2017
*mangle
:PREROUTING ACCEPT [7506285390:1841966088140]
:INPUT ACCEPT [19992343:2821990768]
:FORWARD ACCEPT [7486292843:1839144088322]
:OUTPUT ACCEPT [19143071:1433210422]
:POSTROUTING ACCEPT [7505315764:1840566145531]
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon May 22 12:19:43 2017
# Generated by iptables-save v1.6.0 on Mon May 22 12:19:43 2017
*filter
:INPUT ACCEPT [17348:1315026]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22302:1742209]
-A INPUT -s 45.32.73.0/24 -j DROP
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
COMMIT
# Completed on Mon May 22 12:19:43 2017
# Generated by iptables-save v1.6.0 on Mon May 22 12:19:43 2017
*nat
:PREROUTING ACCEPT [37407872:2372934193]
:INPUT ACCEPT [2784903:222819660]
:OUTPUT ACCEPT [3186380:201316017]
:POSTROUTING ACCEPT [152853273:9136149906]
-A PREROUTING -d 84.201.123.123/32 -j DNAT --to-destination 10.0.3.15
-A PREROUTING -d 84.202.123.123/32 -j DNAT --to-destination 10.0.3.202
-A PREROUTING -d 84.201.123.123/32 -j DNAT --to-destination 10.0.3.15
-A PREROUTING -d 84.203.11.123/32 -j DNAT --to-destination 10.0.3.190
-A PREROUTING -d 84.205.11.123/32 -j DNAT --to-destination 10.0.3.175
-A PREROUTING -d 84.206.11.123/32 -j DNAT --to-destination 10.0.3.78
-A OUTPUT -d 84.201.123.123/32 -j DNAT --to-destination 10.0.3.15
-A OUTPUT -d 84.202.123.123/32 -j DNAT --to-destination 10.0.3.202
-A OUTPUT -d 84.201.123.123/32 -j DNAT --to-destination 10.0.3.15
-A OUTPUT -d 84.203.11.123/32 -j DNAT --to-destination 10.0.3.190
-A OUTPUT -d 84.205.11.123/32 -j DNAT --to-destination 10.0.3.175
-A OUTPUT -d 84.206.11.123/32 -j DNAT --to-destination 10.0.3.78
-A POSTROUTING -s 10.0.3.202/32 -j SNAT --to-source 84.202.123.123
-A POSTROUTING -s 10.0.3.15/32 -j SNAT --to-source 84.201.123.123
-A POSTROUTING -s 10.0.3.202/32 -j SNAT --to-source 84.202.123.123
-A POSTROUTING -s 10.0.3.15/32 -j SNAT --to-source 84.201.123.123
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
-A POSTROUTING -s 10.0.3.190/32 -j SNAT --to-source 84.203.11.123
-A POSTROUTING -s 10.0.3.175/32 -j SNAT --to-source 84.205.11.123
-A POSTROUTING -s 10.0.3.78/32 -j SNAT --to-source 84.206.11.123
COMMIT
# Completed on Mon May 22 12:19:43 2017

Maybe someone can help me with this problem and tell what is wrong.

Last edited by esud (2017-05-23 01:32:54)

ayekat · 2017-05-22 10:45:50

Rules in the input chain only apply to packets with your (host) machine as destination. They will not match packets that are redirected to other machines (e.g. your LXC containers), as those pass through the forward chain.

If you want to drop all packets from that subnet, try dropping them in the forwarding chain, too.
Or simply in the prerouting chain¹.

___
¹ But I'm not sure whether this is elegant or recommended.

Last edited by ayekat (2017-05-22 10:47:26)

esud · 2017-05-22 17:01:33

ayekat wrote:

Rules in the input chain only apply to packets with your (host) machine as destination. They will not match packets that are redirected to other machines (e.g. your LXC containers), as those pass through the forward chain.
If you want to drop all packets from that subnet, try dropping them in the forwarding chain, too.
Or simply in the prerouting chain¹.

Ah, thank you for this info. Before I thought that everything go over INPUT chain.
So, the correct solution is:

Block subnet (all IPs which begin with 45.32.11.*)

iptables -t filter -I FORWARD -s 45.32.11.0/24 -j DROP

Unblock subnet

iptables -t filter -D FORWARD -s 45.32.11.0/24 -j DROP

> Or simply in the prerouting chain

This does not work, I get following error message when I try to add this iptables rule: The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.

ayekat · 2017-05-22 20:48:53

esud wrote:

This does not work, I get following error message when I try to add this iptables rule: The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.

Ah, that's good to know
Please don't forget to mark your thread as solved by editing your first post and prepending [SOLVED] to its title.

Arch Linux

#1 2017-05-22 10:35:16

[SOLVED] Can not block IP-address with iptables, please help

#2 2017-05-22 10:45:50

Re: [SOLVED] Can not block IP-address with iptables, please help

#3 2017-05-22 17:01:33

Re: [SOLVED] Can not block IP-address with iptables, please help

#4 2017-05-22 20:48:53

Re: [SOLVED] Can not block IP-address with iptables, please help

Board footer