On 03/08/2016 08:50 AM, Rob Kampen wrote: > On 03/08/2016 08:35 PM, anax wrote: >> Hi >> strange behaviour of iptables on a centos 7.0 machine: >> The following rule is in the iptables of said machine: >> >> [root at myserver ~]# iptables -L -v -n --line-numbers |grep 175\. >> 9 9 456 DROP all -- * * 175.44.0.0/16 >> 0.0.0.0/0 >> [root at myserver ~]# >> >> The corresponding enty in /etc/sysconfig/iptables looks like: >> >> [root at myserver ~]# grep 175 /etc/sysconfig/iptables >> -A INPUT -s 175.44.0.0/16 -j DROP >> [root at myserver ~]# >> >> The rule must be there since ages, because it has number 9 out of 76 >> similar rules. >> >> Today, on the same machine (I rechecked it to make sure not to >> confound machines), I see the following extract of the ftplog: >> >> <snip> >> 175.44.4.127 2915 >> 175.44.26.128 2021 >> 175.44.26.138 1322 >> 175.44.6.186 1290 >> 175.44.24.88 1219 >> 175.44.4.199 1212 >> </snip> >> >> saying that from this IP addresse there have been this many >> connections to the ftp server on that machine during the last two >> days, which means that the iptables haven't dropped the connection to >> the machine. As far as I know, the ftp server is behind the iptables. >> I also checked to see in man iptables, wheather the IP address is >> represented correctly. >> >> What im I missing? >> > You mention iptables - but no mention of firewalld - they both use the > same kernel mechanism, but it is important that both CANNOT be active! > If you configure and use firewalld you can query ># iptables -L and see > what is installed, however I have no idea if this exposes the entire set > of firewall statements - others that better understand this space, feel > free to weigh in. > CentOS 7 has firewalld enabled by default, thus the choice to use > iptables directly means that firewalld must be disabled. > HTH >> thanks in advance >> >> suomi >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos Hi Rob Thank you for your answer. I did really not consider that with firewalld. But when I check on the server I get: [root at myserver ~]# systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) [root at myserver ~]# Also if I do: [root at myserver ~]# ps xa |grep firewall 12235 pts/0 S+ 0:00 grep --color=auto firewall [root at myserver ~]# so firewalld is really not active. suomi