[CentOS] Strange behaviour of iptables in centos 7
anax
anax at ayni.com
Tue Mar 8 09:04:51 UTC 2016
On 03/08/2016 09:13 AM, John R Pierce wrote:
> On 3/7/2016 11:35 PM, anax wrote:
>> saying that from this IP addresse there have been this many
>> connections to the ftp server on that machine during the last two
>> days, which means that the iptables haven't dropped the connection to
>> the machine. As far as I know, the ftp server is behind the iptables.
>> I also checked to see in man iptables, wheather the IP address is
>> represented correctly.
>
>
> which table is that rule in? INPUT, or a table invoked by input? are
> there rules affecting inbound FTP connections before that rule?
>
>
>
Hi John
Thanks for your answer.
The complete output of iptables is:
[root at myserver ~]# iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 30M packets, 6401M bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT udp -- * * 127.0.0.1
0.0.0.0/0 udp dpt:53
2 11 1133 ACCEPT udp -- * * 192.168.97.0/24
0.0.0.0/0 udp dpt:53
3 254K 17M ACCEPT udp -- * * 212.90.206.128/27
0.0.0.0/0 udp dpt:53
4 40M 2816M udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 recent: SET name: dnslimit side:
source mask: 255.255.255.255
5 7717K 549M DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 recent: UPDATE seconds: 10 hit_count:
20 name: dnslimit side: source mask: 255.255.255.255
6 823K 65M udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 STRING match "|0000ff0001|" ALGO name
bm FROM 50 TO 65535 recent: SET name: dnsanyquery side: source mask:
255.255.255.255
7 337K 27M DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 STRING match "|0000ff0001|" ALGO name
bm FROM 50 TO 65535 recent: CHECK seconds: 10 hit_count: 3 name:
dnsanyquery side: source mask: 255.255.255.255
8 0 0 udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 STRING match "|e28098|" ALGO name bm
FROM 50 TO 65535
9 9 456 DROP all -- * * 175.44.0.0/16
0.0.0.0/0
10 1059 73305 DROP all -- * * 58.251.0.0/16
0.0.0.0/0
11 1099 77004 DROP all -- * * 74.63.0.0/16
0.0.0.0/0
12 1133 78600 DROP all -- * * 36.248.0.0/16
0.0.0.0/0
13 1130 77455 DROP all -- * * 14.222.0.0/16
0.0.0.0/0
14 1112 76977 DROP all -- * * 113.247.0.0/16
0.0.0.0/0
15 1397 95745 DROP all -- * * 112.90.0.0/16
0.0.0.0/0
16 11137 747K DROP all -- * * 5.39.0.0/16
0.0.0.0/0
17 57 4687 DROP all -- * * 185.29.0.0/16
0.0.0.0/0
18 8861 654K DROP all -- * * 37.59.0.0/16
0.0.0.0/0
19 133 7344 DROP all -- * * 165.228.0.0/16
0.0.0.0/0
20 1104 76908 DROP all -- * * 58.254.0.0/16
0.0.0.0/0
21 1076 75445 DROP all -- * * 99.157.0.0/16
0.0.0.0/0
22 215 14708 DROP all -- * * 201.10.0.0/16
0.0.0.0/0
23 1073 74411 DROP all -- * * 5.34.0.0/16
0.0.0.0/0
24 1124 80611 DROP all -- * * 46.29.0.0/16
0.0.0.0/0
25 1867 123K DROP all -- * * 104.232.0.0/16
0.0.0.0/0
26 113K 15M DROP all -- * * 195.186.1.162
0.0.0.0/0
27 1077 74817 DROP all -- * * 112.111.0.0/16
0.0.0.0/0
28 1091 75748 DROP all -- * * 122.13.0.0/16
0.0.0.0/0
29 51 3528 DROP all -- * * 42.157.0.0/16
0.0.0.0/0
30 1367 87949 DROP all -- * * 78.188.0.0/16
0.0.0.0/0
31 60 3447 DROP all -- * * 218.161.0.0/16
0.0.0.0/0
32 727 83807 DROP all -- * * 218.203.0.0/16
0.0.0.0/0
33 1043 72394 DROP all -- * * 96.250.0.0/16
0.0.0.0/0
34 7332 507K DROP all -- * * 89.163.0.0/16
0.0.0.0/0
35 59 4240 DROP all -- * * 203.101.0.0/16
0.0.0.0/0
36 1063 73252 DROP all -- * * 117.204.0.0/16
0.0.0.0/0
37 1081 74869 DROP all -- * * 114.80.0.0/16
0.0.0.0/0
38 1387 104K DROP all -- * * 14.215.0.0/16
0.0.0.0/0
39 1273 87578 DROP all -- * * 14.152.0.0/16
0.0.0.0/0
40 2823 204K DROP all -- * * 46.105.0.0/16
0.0.0.0/0
41 1088 352K DROP all -- * * 66.85.0.0/16
0.0.0.0/0
42 6108 391K DROP all -- * * 220.181.0.0/16
0.0.0.0/0
43 1253 86598 DROP all -- * * 37.99.0.0/16
0.0.0.0/0
44 1092 75717 DROP all -- * * 88.206.0.0/16
0.0.0.0/0
45 950 66684 DROP all -- * * 62.76.0.0/16
0.0.0.0/0
46 2965 188K DROP all -- * * 109.86.0.0/16
0.0.0.0/0
47 1154 79964 DROP all -- * * 89.236.0.0/16
0.0.0.0/0
48 1107 77559 DROP all -- * * 77.47.0.0/16
0.0.0.0/0
49 2768 161K DROP all -- * * 93.170.0.0/16
0.0.0.0/0
50 1100 76600 DROP all -- * * 94.180.0.0/16
0.0.0.0/0
51 1721 111K DROP all -- * * 61.160.0.0/16
0.0.0.0/0
52 1234 85650 DROP all -- * * 59.38.0.0/16
0.0.0.0/0
53 1060 73687 DROP all -- * * 118.67.0.0/16
0.0.0.0/0
54 1166 82448 DROP all -- * * 119.146.0.0/16
0.0.0.0/0
55 1134 79042 DROP all -- * * 116.25.0.0/16
0.0.0.0/0
56 1045 72968 DROP all -- * * 116.24.0.0/16
0.0.0.0/0
57 1050 73085 DROP all -- * * 116.23.0.0/16
0.0.0.0/0
58 1053 73047 DROP all -- * * 116.22.0.0/16
0.0.0.0/0
59 1106 77294 DROP all -- * * 116.21.0.0/16
0.0.0.0/0
60 1058 73551 DROP all -- * * 116.20.0.0/16
0.0.0.0/0
61 1048 72969 DROP all -- * * 116.19.0.0/16
0.0.0.0/0
62 1066 74472 DROP all -- * * 116.18.0.0/16
0.0.0.0/0
63 1111 76650 DROP all -- * * 116.17.0.0/16
0.0.0.0/0
64 1016 70316 DROP all -- * * 116.16.0.0/16
0.0.0.0/0
65 1171 80275 DROP all -- * * 113.106.0.0/16
0.0.0.0/0
66 945 65996 DROP all -- * * 61.11.0.0/16
0.0.0.0/0
67 1132 78418 DROP all -- * * 112.74.0.0/16
0.0.0.0/0
68 1039 72295 DROP all -- * * 121.26.0.0/16
0.0.0.0/0
69 3714 258K DROP all -- * * 202.78.0.0/16
0.0.0.0/0
70 2 112 DROP all -- * * 219.138.0.0/16
0.0.0.0/0
71 1229 86598 DROP all -- * * 114.246.0.0/16
0.0.0.0/0
72 32 4234 DROP all -- * * 222.98.0.0/16
0.0.0.0/0
73 52 3101 DROP all -- * * 190.103.0.0/16
0.0.0.0/0
74 1926 116K DROP all -- * * 222.186.0.0/16
0.0.0.0/0
75 214 14906 DROP all -- * * 114.66.0.0/16
0.0.0.0/0
76 259 15456 DROP all -- * * 191.252.0.0/16
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 37M packets, 15G bytes)
num pkts bytes target prot opt in out source
destination
1 3676 300K DROP udp -- * * 0.0.0.0/0
112.90.0.0/16 udp dpt:53
2 1845K 149M DROP udp -- * * 0.0.0.0/0
140.205.0.0/16 udp dpt:53
3 907K 73M DROP udp -- * * 0.0.0.0/0
42.120.0.0/16 udp dpt:53
[root at myserver ~]#
so, the 9th resource record is in the INPUT Chain, as it should be. The
first 8 resource records should prevent a DDoS attack to the DNS port.
As you can see there are no special resource records to enable FTP
connections.
suomi
More information about the CentOS
mailing list