0

I'm having issues blocking certain IP addresses access to HTTP/HTTPS ports via iptables on my CentOS 7.7 webserver.

The problem is when I add the IP address to iptables, and confirm it is in the rules, it doesn't block the IP address from accessing HTTP/HTTPS. However it does block them from everything else (ping, SSH, telnet, etc).

Notes:

  • There is no NAT or forwarding on this system.

  • There is only the lo and eth0 interfaces.

  • Sites are on Cloudflare, but please read the bottom notes.

These are my current rules (with 1.2.3.4 being the IP to block):

# iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      783  120K ACCEPT     all  --  lo     any     anywhere             anywhere            
2       15   780 drop       all  --  eth0   any     1.2.3.4              anywhere            
3        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-reply
4        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
5        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
6        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request limit: avg 10/sec burst 5
7        0     0 drop       icmp --  any    any     anywhere             anywhere            
8      224 18088 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:http
9      432 58244 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:https
10       0     0 drop       all  --  eth0   any     1.2.3.4              anywhere            
11     260  204K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
12     275 19648 drop       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2771 packets, 634K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain drop (4 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      290 20428 DROP       all  --  any    any     anywhere             anywhere

As stated above, that blocks IP 1.2.3.4 from everything on my server except from accessing my websites.

The only thing I can think of potentially causing an issue or hiccup in all this, is the fact that my sites are behind Cloudflare. But even then, I have the mod_cloudflare module installed which basically just means it shows "real visitor IP addresses" and not Cloudflare's IP addresses in Apache logs.

How I'm testing this is I add 1.2.3.4 to the firewall as above, confirm its presence in the rules, tailf the Apache logs, and I see that IP address still scraping my websites.

Does anyone have any ideas on what I may be doing wrong?

EDIT #1: Per the updates to the post, I have moved the drop 1.2.3.4 to below the ACCEPT anywhere but this is still not blocking the IP address from accessing the HTTP/HTTPS on the server. I have pasted my new iptables rule above, placing the drop both before and after the ACCEPT.

EDIT #2: This does appear to be an exclusive issue to Cloudflare. As I just tested this on a domain that is not using Cloudflare's DNS, and it blocks the HTTP/HTTPS access from the IP address as expected.

amy
  • 1
  • 2
  • Why don't you just block 1.2.3.4 at Cloudflare? – Brandon Xavier Feb 26 '20 at 22:28
  • @BrandonXavier Cloudflare only allows 5 firewall rules per domain for the free tier, which I am unfortunately on. I am needing to block multiple IP addresses, not within the same subnet, and would require much more than 5 rules. – amy Feb 26 '20 at 22:30
  • Have a look at this: https://stackoverflow.com/questions/34757287/iptables-how-to-block-handle-x-forwarded-for-addresses You should be able to block 1.2.3.4 at the application (apache) level rather than at the network level based on the X-Forwarded-For (or whatever headers Cloudflare inserts). – Brandon Xavier Feb 26 '20 at 23:24

1 Answers1

0

The mod_cloudflare_module is only for Apache or you web server to see source IP. Not IPTables.

IPTables is not aware of such module.

That said, you are blocking then accepting any on eth0. It might be because of that (not sure). Also, it eth0 really the interface/ip bound to answer the request to your web service (httpd or other)

I would save that config to start, and try to do this:

https://www.cyberciti.biz/faq/iptables-block-port/

yield
  • 771
  • 1
  • 9
  • 24
  • Your comment regarding `mod_cloudflare` only showing the IP address to Apache and not to `iptables` may be the root of all this. Do you happen to have any documentation or possible solutions I could use? – amy Feb 26 '20 at 22:21