On 03/08/2016 09:13 AM, John R Pierce wrote: > On 3/7/2016 11:35 PM, anax wrote: >> saying that from this IP addresse there have been this many >> connections to the ftp server on that machine during the last two >> days, which means that the iptables haven't dropped the connection to >> the machine. As far as I know, the ftp server is behind the iptables. >> I also checked to see in man iptables, wheather the IP address is >> represented correctly. > > > which table is that rule in? INPUT, or a table invoked by input? are > there rules affecting inbound FTP connections before that rule? > > > Hi John Thanks for your answer. The complete output of iptables is: [root at myserver ~]# iptables -L -v -n --line-numbers Chain INPUT (policy ACCEPT 30M packets, 6401M bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT udp -- * * 127.0.0.1 0.0.0.0/0 udp dpt:53 2 11 1133 ACCEPT udp -- * * 192.168.97.0/24 0.0.0.0/0 udp dpt:53 3 254K 17M ACCEPT udp -- * * 212.90.206.128/27 0.0.0.0/0 udp dpt:53 4 40M 2816M udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 recent: SET name: dnslimit side: source mask: 255.255.255.255 5 7717K 549M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 recent: UPDATE seconds: 10 hit_count: 20 name: dnslimit side: source mask: 255.255.255.255 6 823K 65M udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|0000ff0001|" ALGO name bm FROM 50 TO 65535 recent: SET name: dnsanyquery side: source mask: 255.255.255.255 7 337K 27M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|0000ff0001|" ALGO name bm FROM 50 TO 65535 recent: CHECK seconds: 10 hit_count: 3 name: dnsanyquery side: source mask: 255.255.255.255 8 0 0 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|e28098|" ALGO name bm FROM 50 TO 65535 9 9 456 DROP all -- * * 175.44.0.0/16 0.0.0.0/0 10 1059 73305 DROP all -- * * 58.251.0.0/16 0.0.0.0/0 11 1099 77004 DROP all -- * * 74.63.0.0/16 0.0.0.0/0 12 1133 78600 DROP all -- * * 36.248.0.0/16 0.0.0.0/0 13 1130 77455 DROP all -- * * 14.222.0.0/16 0.0.0.0/0 14 1112 76977 DROP all -- * * 113.247.0.0/16 0.0.0.0/0 15 1397 95745 DROP all -- * * 112.90.0.0/16 0.0.0.0/0 16 11137 747K DROP all -- * * 5.39.0.0/16 0.0.0.0/0 17 57 4687 DROP all -- * * 185.29.0.0/16 0.0.0.0/0 18 8861 654K DROP all -- * * 37.59.0.0/16 0.0.0.0/0 19 133 7344 DROP all -- * * 165.228.0.0/16 0.0.0.0/0 20 1104 76908 DROP all -- * * 58.254.0.0/16 0.0.0.0/0 21 1076 75445 DROP all -- * * 99.157.0.0/16 0.0.0.0/0 22 215 14708 DROP all -- * * 201.10.0.0/16 0.0.0.0/0 23 1073 74411 DROP all -- * * 5.34.0.0/16 0.0.0.0/0 24 1124 80611 DROP all -- * * 46.29.0.0/16 0.0.0.0/0 25 1867 123K DROP all -- * * 104.232.0.0/16 0.0.0.0/0 26 113K 15M DROP all -- * * 195.186.1.162 0.0.0.0/0 27 1077 74817 DROP all -- * * 112.111.0.0/16 0.0.0.0/0 28 1091 75748 DROP all -- * * 122.13.0.0/16 0.0.0.0/0 29 51 3528 DROP all -- * * 42.157.0.0/16 0.0.0.0/0 30 1367 87949 DROP all -- * * 78.188.0.0/16 0.0.0.0/0 31 60 3447 DROP all -- * * 218.161.0.0/16 0.0.0.0/0 32 727 83807 DROP all -- * * 218.203.0.0/16 0.0.0.0/0 33 1043 72394 DROP all -- * * 96.250.0.0/16 0.0.0.0/0 34 7332 507K DROP all -- * * 89.163.0.0/16 0.0.0.0/0 35 59 4240 DROP all -- * * 203.101.0.0/16 0.0.0.0/0 36 1063 73252 DROP all -- * * 117.204.0.0/16 0.0.0.0/0 37 1081 74869 DROP all -- * * 114.80.0.0/16 0.0.0.0/0 38 1387 104K DROP all -- * * 14.215.0.0/16 0.0.0.0/0 39 1273 87578 DROP all -- * * 14.152.0.0/16 0.0.0.0/0 40 2823 204K DROP all -- * * 46.105.0.0/16 0.0.0.0/0 41 1088 352K DROP all -- * * 66.85.0.0/16 0.0.0.0/0 42 6108 391K DROP all -- * * 220.181.0.0/16 0.0.0.0/0 43 1253 86598 DROP all -- * * 37.99.0.0/16 0.0.0.0/0 44 1092 75717 DROP all -- * * 88.206.0.0/16 0.0.0.0/0 45 950 66684 DROP all -- * * 62.76.0.0/16 0.0.0.0/0 46 2965 188K DROP all -- * * 109.86.0.0/16 0.0.0.0/0 47 1154 79964 DROP all -- * * 89.236.0.0/16 0.0.0.0/0 48 1107 77559 DROP all -- * * 77.47.0.0/16 0.0.0.0/0 49 2768 161K DROP all -- * * 93.170.0.0/16 0.0.0.0/0 50 1100 76600 DROP all -- * * 94.180.0.0/16 0.0.0.0/0 51 1721 111K DROP all -- * * 61.160.0.0/16 0.0.0.0/0 52 1234 85650 DROP all -- * * 59.38.0.0/16 0.0.0.0/0 53 1060 73687 DROP all -- * * 118.67.0.0/16 0.0.0.0/0 54 1166 82448 DROP all -- * * 119.146.0.0/16 0.0.0.0/0 55 1134 79042 DROP all -- * * 116.25.0.0/16 0.0.0.0/0 56 1045 72968 DROP all -- * * 116.24.0.0/16 0.0.0.0/0 57 1050 73085 DROP all -- * * 116.23.0.0/16 0.0.0.0/0 58 1053 73047 DROP all -- * * 116.22.0.0/16 0.0.0.0/0 59 1106 77294 DROP all -- * * 116.21.0.0/16 0.0.0.0/0 60 1058 73551 DROP all -- * * 116.20.0.0/16 0.0.0.0/0 61 1048 72969 DROP all -- * * 116.19.0.0/16 0.0.0.0/0 62 1066 74472 DROP all -- * * 116.18.0.0/16 0.0.0.0/0 63 1111 76650 DROP all -- * * 116.17.0.0/16 0.0.0.0/0 64 1016 70316 DROP all -- * * 116.16.0.0/16 0.0.0.0/0 65 1171 80275 DROP all -- * * 113.106.0.0/16 0.0.0.0/0 66 945 65996 DROP all -- * * 61.11.0.0/16 0.0.0.0/0 67 1132 78418 DROP all -- * * 112.74.0.0/16 0.0.0.0/0 68 1039 72295 DROP all -- * * 121.26.0.0/16 0.0.0.0/0 69 3714 258K DROP all -- * * 202.78.0.0/16 0.0.0.0/0 70 2 112 DROP all -- * * 219.138.0.0/16 0.0.0.0/0 71 1229 86598 DROP all -- * * 114.246.0.0/16 0.0.0.0/0 72 32 4234 DROP all -- * * 222.98.0.0/16 0.0.0.0/0 73 52 3101 DROP all -- * * 190.103.0.0/16 0.0.0.0/0 74 1926 116K DROP all -- * * 222.186.0.0/16 0.0.0.0/0 75 214 14906 DROP all -- * * 114.66.0.0/16 0.0.0.0/0 76 259 15456 DROP all -- * * 191.252.0.0/16 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 37M packets, 15G bytes) num pkts bytes target prot opt in out source destination 1 3676 300K DROP udp -- * * 0.0.0.0/0 112.90.0.0/16 udp dpt:53 2 1845K 149M DROP udp -- * * 0.0.0.0/0 140.205.0.0/16 udp dpt:53 3 907K 73M DROP udp -- * * 0.0.0.0/0 42.120.0.0/16 udp dpt:53 [root at myserver ~]# so, the 9th resource record is in the INPUT Chain, as it should be. The first 8 resource records should prevent a DDoS attack to the DNS port. As you can see there are no special resource records to enable FTP connections. suomi