We use a home-brew system similar to fail2ban to block traffic from IP addresses which appear to be doing Nasty Things(tm). The main thing our system does that fail2ban doesn't is to use a central DNSRBL we maintain allowing it to immedatiately ban listed IP addresses the first time they make an attempt to connection without waiting for them to hit a sufficient number of times to bring up the block.
This system sends e-mail messages to our security alias whenever a blocking even occurs, either from tcp_wrappers or swatch log watcher.
My problem is that occassionally an IP addresses doesn't appear to be blocked as we continue to see the e-mail messages after the blocks are in place. Most frequently these occur from courier-imap failed login attempts, less frequently from sshd.
To start, iptables is initialized by setting up a named rule set, say on eth0:
# these two set up the rule set. iptables -N csblocks iptables -A csblocks -j RETURN
# now add it to input, check csblocks on all new connections. iptables -i eth0 -m state --state NEW -j csblocks
#Insert block IP address 1.2.3.4 as first rule in the set. iptables -I csblocks 1 -s 1.2.3.4 -j DROP # now add a rule to prevent IP forwarding on gateway machines. iptables -A FORWARD -s 1.2.3.4 -j DROP # for good measure, null route the IP route add -host 1.2.3.4 reject
With all that incoming attempts still seem to get by for a few IP addresses, but certainly not all.
Can anybody point out what I'm doing wrong, or why this may happen?
Bill