0

An external IP is connecting to my mailserver VM every second and I just want to block this IP immediately without dropping existing connections.

So I apply a DROP rule. I even reloaded all the iptables rules, but the external IP is still connecting to the mail server.

I used conntrack to stop existing connections.

iptables -F
iptables -X
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward

for IP in <IP_LIST> ; do
  iptables -I INPUT -s $IP -j DROP
  conntrack -D -s $IP
done

# Other rules follow (rule on INPUT are all specified to ports other than the mail ports)

# last rule
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

The result of conntrack -L -s <ATTACKERIP> is

tcp      6 10 TIME_WAIT src=<ATTACKERIP> dst=<MYIP> sport=23305 dport=587 src=10.0.1.109 dst=10.0.0.5 sport=587 dport=23305 [ASSURED] mark=0 use=1

Relevant output from

iptables -L
iptables -L -t nat

is

iptables -t nat -D PREROUTING -i vmbr0 -p tcp -d <MYPUBLICIP> --dport 587 -j DNAT --to 10.0.1.109:587

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  <ATTACKERIP>         anywhere
DNAT       tcp  --  anywhere             <MYDOMAIN>     tcp dpt:submission to:10.0.1.109:587

What else should I do to DROP new connections immediately?

le_top
  • 135
  • 6
  • I'm not an iptables expert, but shouldn't you not already drop the package at the input table? NAT table seems to be already too late. https://phoenixnap.com/kb/iptables-tutorial-linux-firewall – paladin Mar 15 '23 at 17:56
  • Thank you for the feedback - I am dropping it at the INPUT table. ` iptables -I INPUT -s $IP -j DROP` – le_top Mar 15 '23 at 18:42
  • I'm sorry, I was blinded by my stupidity. ^^ – paladin Mar 15 '23 at 21:29
  • No problem, we all go too fast sometimes. The attacker has now gone away, but I am still puzzled. – le_top Mar 15 '23 at 21:30
  • In your other rules `# Other rules follow`, is there any rule which begins with `iptables -I INPUT`? If so, it would help if you would share that rule to us. I'm asking, because that command is always inserting itself on top of the rule chain. This means, the last used insert is the most dominant insert. That also means, that your blacklist should be added at the end of your iptables setup-script and not at the beginning. – paladin Mar 15 '23 at 21:49
  • I added the rule that I have last `iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT` - the other rules on the INPUT are for unrelated ports. I tried to delete the established connections using conntrack and I had the impression in a past experience that the worked to "forget" routes. – le_top Mar 15 '23 at 22:12
  • I'm pretty sure you are not really sure how iptables chains work. I'm asking for the `iptables -I INPUT`, the `-I` stands for `--insert`. If you using any other `--insert` you need to be really sure that those rules don't conflict with your blacklist. This means, ANY command after, which begins with `iptables -I INPUT` might conflict. It would be best to execute your blacklist commands as the last iptables command, even if you think you are doing everything right. Your blacklist rule commands need to be executed AFTER all other iptables rule commands so they become the first rule in chain. – paladin Mar 15 '23 at 22:28
  • I agree that I do not know every thing about iptables, but I understood that I need to add these DROP rules at the end and you clarify that this is because of the --insert. All `iptables -I INPUT` rules are DROP rules. When I added the DROP rule from the CLI, the attacking IP could still connect (and adding it from the CLI is "adding" the blacklist after everything else). – le_top Mar 15 '23 at 23:28

2 Answers2

2

It looks like your using NAT to forward traffic to your mail server.

Then adding filter rules to the INPUT chain to filter that NAT traffic is not effective, as rules in the INPUT chain only apply to traffic destined for processes running on the same system running the iptables firewall and not the traffic that gets forwarded.

IIRC your rules should be in for example FORWARD chain.

See the diagram below from https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/ for context.

https://stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png

HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • I have not tested yet, but yes I am natting traffic to the mail server so this explication makes perfectly sense. The Flowchart is great - never seen one before for iptables!. So I'll add a rule on the FORWARD chain as well in my for loop. Thanks a lot! – le_top Mar 17 '23 at 15:02
0

when you do an:

iptables -nL INPUT

Are the DROPping rules the first ?

Mitya
  • 128
  • 5
  • Yes they are the first. – le_top Mar 17 '23 at 15:16
  • It seems that you are forwarding packets to the mailserver, that was not clear I think. In that case, packets does not go into the INPUT chain. You need to DROP the packets in the FORWARD chain. – Mitya Mar 19 '23 at 13:25
  • I am not saying that it was obvious, but I did mention the NAT rule in my question. The iptables flowchart makes things clear. – le_top Mar 19 '23 at 20:07