[CentOS] Strange behaviour of iptables in centos 7

Tue Mar 8 09:10:54 UTC 2016
anax <anax at ayni.com>


On 03/08/2016 09:43 AM, James Hogarth wrote:
> On 8 Mar 2016 07:36, "anax" <anax at ayni.com> wrote:
>>
>> Hi
>> strange behaviour of iptables on a centos 7.0 machine:
>> The following rule is in the iptables of said machine:
>>
>> [root at myserver ~]# iptables -L -v -n --line-numbers |grep 175\.
>> 9        9   456 DROP       all  --  *      *       175.44.0.0/16
> 0.0.0.0/0
>> [root at myserver ~]#
>>
>> The corresponding enty in /etc/sysconfig/iptables looks like:
>>
>> [root at myserver ~]# grep 175 /etc/sysconfig/iptables
>> -A INPUT -s 175.44.0.0/16 -j DROP
>> [root at myserver ~]#
>>
>> The rule must be there since ages, because it has number 9 out of 76
> similar rules.
>>
>> Today, on the same machine (I rechecked it to make sure not to confound
> machines), I see the following extract of the ftplog:
>>
>> <snip>
>> 175.44.4.127    2915
>> 175.44.26.128   2021
>> 175.44.26.138   1322
>> 175.44.6.186    1290
>> 175.44.24.88    1219
>> 175.44.4.199    1212
>> </snip>
>>
>> saying that from this IP addresse there have been this many connections
> to the ftp server on that machine during the last two days, which means
> that the iptables haven't dropped the connection to the machine. As far as
> I know, the ftp server is behind the iptables. I also checked to see in man
> iptables, wheather the IP address is represented correctly.
>>
>> What im I missing?
>>
>
> Please provide the full iptables listing as a snippet from one section is
> not useful.
>
> Keep in mind iptables does not go by the most specific entry but rather the
> first matching rule hit.
>
> If there are any rules prior to this drop that would permit the traffic
> then of course the traffic would be permitted.
>
> Also 7.0? Please get that system updated asap as you are missing many
> important (and higher) issues being fixed.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


Hi James

Thanks very much for your answer.

the full iptables list is in my reply to John.

But you are correct, I must update the system. This may fix the isssue.

suomi