Why can blocked IPs get through my iptables? What's wrong with this configuration?

Question

(Why can/How are) blocked IPs (get/getting) through my iptables?

Hello and thanks for your consideration...

I have configured iptables and included (below) output from the command "iptables --line-numbers -n -L" yet IP addresses (like 31.41.219.180) from IP blocks I have already blocked are getting through. Please take a look and share any input you may have. Thank you.

P.S. The initial ACCEPT IP addresses are for CloudFlare.

.

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    32267   14M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW reject-with tcp-reset
3      149  8570 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
4      434 25606 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
5        0     0 ACCEPT     udp  --  *      *       103.21.244.0/22      0.0.0.0/0
6        0     0 ACCEPT     udp  --  *      *       103.22.200.0/22      0.0.0.0/0
7        0     0 ACCEPT     udp  --  *      *       103.31.4.0/22        0.0.0.0/0
8        0     0 ACCEPT     udp  --  *      *       104.16.0.0/12        0.0.0.0/0
9        0     0 ACCEPT     udp  --  *      *       108.162.192.0/18     0.0.0.0/0
10       0     0 ACCEPT     udp  --  *      *       141.101.64.0/18      0.0.0.0/0
11       0     0 ACCEPT     udp  --  *      *       162.158.0.0/15       0.0.0.0/0
12       0     0 ACCEPT     udp  --  *      *       173.245.48.0/20      0.0.0.0/0
13       0     0 ACCEPT     udp  --  *      *       188.114.96.0/20      0.0.0.0/0
14       0     0 ACCEPT     udp  --  *      *       190.93.240.0/20      0.0.0.0/0
15       0     0 ACCEPT     udp  --  *      *       197.234.240.0/22     0.0.0.0/0
16       0     0 ACCEPT     udp  --  *      *       198.41.128.0/17      0.0.0.0/0
17       0     0 ACCEPT     udp  --  *      *       199.27.128.0/21      0.0.0.0/0
18       0     0 ACCEPT     tcp  --  *      *       103.21.244.0/22      0.0.0.0/0
19       9   468 ACCEPT     tcp  --  *      *       103.22.200.0/22      0.0.0.0/0
20       0     0 ACCEPT     tcp  --  *      *       103.31.4.0/22        0.0.0.0/0
21       0     0 ACCEPT     tcp  --  *      *       104.16.0.0/12        0.0.0.0/0
22     858 44616 ACCEPT     tcp  --  *      *       108.162.192.0/18     0.0.0.0/0
23     376 19552 ACCEPT     tcp  --  *      *       141.101.64.0/18      0.0.0.0/0
24       0     0 ACCEPT     tcp  --  *      *       162.158.0.0/15       0.0.0.0/0
25     257 13364 ACCEPT     tcp  --  *      *       173.245.48.0/20      0.0.0.0/0
26       0     0 ACCEPT     tcp  --  *      *       188.114.96.0/20      0.0.0.0/0
27       0     0 ACCEPT     tcp  --  *      *       190.93.240.0/20      0.0.0.0/0
28       0     0 ACCEPT     tcp  --  *      *       197.234.240.0/22     0.0.0.0/0
29       0     0 ACCEPT     tcp  --  *      *       198.41.128.0/17      0.0.0.0/0
30      92  4784 ACCEPT     tcp  --  *      *       199.27.128.0/21      0.0.0.0/0
31       0     0 DROP       tcp  --  *      *       1.0.0.0/8            0.0.0.0/0           tcp dpts:1:50000
32       0     0 DROP       tcp  --  *      *       101.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
33       0     0 DROP       tcp  --  *      *       102.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
34       0     0 DROP       tcp  --  *      *       103.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
35      18  1080 DROP       tcp  --  *      *       109.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
36       0     0 DROP       tcp  --  *      *       112.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
37      12   656 DROP       tcp  --  *      *       113.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
38       0     0 DROP       tcp  --  *      *       114.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
39       0     0 DROP       tcp  --  *      *       115.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
40       8   352 DROP       tcp  --  *      *       116.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
41       0     0 DROP       tcp  --  *      *       117.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
42       0     0 DROP       tcp  --  *      *       118.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
43       2   120 DROP       tcp  --  *      *       119.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
44       0     0 DROP       tcp  --  *      *       120.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
45       0     0 DROP       tcp  --  *      *       121.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
46       4   160 DROP       tcp  --  *      *       122.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
47       4   240 DROP       tcp  --  *      *       123.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
48       0     0 DROP       tcp  --  *      *       125.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
49       0     0 DROP       tcp  --  *      *       134.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
50       0     0 DROP       tcp  --  *      *       146.185.0.0/16       0.0.0.0/0           tcp dpts:1:50000
51       6   360 DROP       tcp  --  *      *       148.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
52       0     0 DROP       tcp  --  *      *       151.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
53       0     0 DROP       tcp  --  *      *       175.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
54       0     0 DROP       tcp  --  *      *       176.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
55       0     0 DROP       tcp  --  *      *       177.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
56      46  2696 DROP       tcp  --  *      *       178.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
57       0     0 DROP       tcp  --  *      *       179.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
58       4   224 DROP       tcp  --  *      *       180.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
59       0     0 DROP       tcp  --  *      *       181.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
60       0     0 DROP       tcp  --  *      *       182.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
61      34  2040 DROP       tcp  --  *      *       183.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
62       0     0 DROP       tcp  --  *      *       185.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
63       0     0 DROP       tcp  --  *      *       186.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
64       0     0 DROP       tcp  --  *      *       187.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
65      18   912 DROP       tcp  --  *      *       188.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
66       0     0 DROP       tcp  --  *      *       189.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
67       0     0 DROP       tcp  --  *      *       190.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
68       2   120 DROP       tcp  --  *      *       192.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
69       0     0 DROP       tcp  --  *      *       196.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
70       0     0 DROP       tcp  --  *      *       197.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
71       5   300 DROP       tcp  --  *      *       198.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
72       0     0 DROP       tcp  --  *      *       2.0.0.0/8            0.0.0.0/0           tcp dpts:1:50000
73       0     0 DROP       tcp  --  *      *       200.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
74       0     0 DROP       tcp  --  *      *       201.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
75       6   360 DROP       tcp  --  *      *       202.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
76       0     0 DROP       tcp  --  *      *       203.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
77       4   160 DROP       tcp  --  *      *       210.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
78       0     0 DROP       tcp  --  *      *       211.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
79       2    96 DROP       tcp  --  *      *       212.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
80       4   240 DROP       tcp  --  *      *       213.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
81       0     0 DROP       tcp  --  *      *       214.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
82       0     0 DROP       tcp  --  *      *       215.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
83       0     0 DROP       tcp  --  *      *       216.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
84       0     0 DROP       tcp  --  *      *       217.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
85       4   172 DROP       tcp  --  *      *       218.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
86      12   576 DROP       tcp  --  *      *       219.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
87       7   372 DROP       tcp  --  *      *       220.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
88       0     0 DROP       tcp  --  *      *       222.0.0.0/8          0.0.0.0/0           tcp dpts:1:50000
89       0     0 DROP       tcp  --  *      *       27.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
90      12   608 DROP       tcp  --  *      *       31.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
91      11   528 DROP       tcp  --  *      *       37.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
92       0     0 DROP       tcp  --  *      *       41.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
93       0     0 DROP       tcp  --  *      *       42.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
94       0     0 DROP       tcp  --  *      *       43.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
95       8   480 DROP       tcp  --  *      *       46.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
96       0     0 DROP       tcp  --  *      *       49.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
97       6   360 DROP       tcp  --  *      *       5.0.0.0/8            0.0.0.0/0           tcp dpts:1:50000
98       0     0 DROP       tcp  --  *      *       58.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
99       0     0 DROP       tcp  --  *      *       60.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
100      4   160 DROP       tcp  --  *      *       61.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
101     32  1848 DROP       tcp  --  *      *       62.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
102      0     0 DROP       tcp  --  *      *       63.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
103     20  1200 DROP       tcp  --  *      *       64.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
104      0     0 DROP       tcp  --  *      *       65.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
105    266 15960 DROP       tcp  --  *      *       66.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
106      3   180 DROP       tcp  --  *      *       69.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
107      5   272 DROP       tcp  --  *      *       72.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
108      0     0 DROP       tcp  --  *      *       78.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
109      0     0 DROP       tcp  --  *      *       81.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
110      3   180 DROP       tcp  --  *      *       82.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
111      0     0 DROP       tcp  --  *      *       83.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
112      8   384 DROP       tcp  --  *      *       84.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
113      0     0 DROP       tcp  --  *      *       85.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
114      0     0 DROP       tcp  --  *      *       86.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
115      6   360 DROP       tcp  --  *      *       87.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
116      7   408 DROP       tcp  --  *      *       88.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
117      0     0 DROP       tcp  --  *      *       89.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
118      0     0 DROP       tcp  --  *      *       90.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
119      0     0 DROP       tcp  --  *      *       91.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
120      3   152 DROP       tcp  --  *      *       92.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
121     20   992 DROP       tcp  --  *      *       93.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
122      9   512 DROP       tcp  --  *      *       94.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
123      5   272 DROP       tcp  --  *      *       95.0.0.0/8           0.0.0.0/0           tcp dpts:1:50000
124      0     0 DROP       udp  --  *      *       1.0.0.0/8            0.0.0.0/0           udp dpts:1:50000
125      0     0 DROP       udp  --  *      *       101.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
126      0     0 DROP       udp  --  *      *       102.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
127      0     0 DROP       udp  --  *      *       103.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
128      0     0 DROP       udp  --  *      *       109.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
129      0     0 DROP       udp  --  *      *       112.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
130      0     0 DROP       udp  --  *      *       113.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
131      0     0 DROP       udp  --  *      *       114.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
132      1   112 DROP       udp  --  *      *       115.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
133      0     0 DROP       udp  --  *      *       116.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
134      0     0 DROP       udp  --  *      *       117.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
135      0     0 DROP       udp  --  *      *       118.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
136      0     0 DROP       udp  --  *      *       119.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
137      0     0 DROP       udp  --  *      *       120.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
138      0     0 DROP       udp  --  *      *       121.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
139      0     0 DROP       udp  --  *      *       122.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
140      0     0 DROP       udp  --  *      *       123.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
141      0     0 DROP       udp  --  *      *       125.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
142      0     0 DROP       udp  --  *      *       134.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
143      0     0 DROP       udp  --  *      *       146.185.0.0/16       0.0.0.0/0           udp dpts:1:50000
144      0     0 DROP       udp  --  *      *       148.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
145      0     0 DROP       udp  --  *      *       151.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
146      0     0 DROP       udp  --  *      *       175.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
147      0     0 DROP       udp  --  *      *       176.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
148      1    70 DROP       udp  --  *      *       177.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
149      0     0 DROP       udp  --  *      *       178.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
150      0     0 DROP       udp  --  *      *       179.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
151      0     0 DROP       udp  --  *      *       180.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
152      0     0 DROP       udp  --  *      *       181.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
153      0     0 DROP       udp  --  *      *       182.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
154      0     0 DROP       udp  --  *      *       183.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
155      0     0 DROP       udp  --  *      *       185.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
156      1    74 DROP       udp  --  *      *       186.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
157      0     0 DROP       udp  --  *      *       187.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
158      0     0 DROP       udp  --  *      *       188.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
159      0     0 DROP       udp  --  *      *       189.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
160      0     0 DROP       udp  --  *      *       190.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
161      0     0 DROP       udp  --  *      *       192.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
162      0     0 DROP       udp  --  *      *       196.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
163      0     0 DROP       udp  --  *      *       197.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
164      0     0 DROP       udp  --  *      *       198.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
165      0     0 DROP       udp  --  *      *       2.0.0.0/8            0.0.0.0/0           udp dpts:1:50000
166      0     0 DROP       udp  --  *      *       200.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
167      0     0 DROP       udp  --  *      *       201.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
168      0     0 DROP       udp  --  *      *       202.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
169      0     0 DROP       udp  --  *      *       203.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
170      0     0 DROP       udp  --  *      *       210.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
171      0     0 DROP       udp  --  *      *       211.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
172      0     0 DROP       udp  --  *      *       212.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
173      0     0 DROP       udp  --  *      *       213.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
174      0     0 DROP       udp  --  *      *       214.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
175      0     0 DROP       udp  --  *      *       215.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
176      0     0 DROP       udp  --  *      *       216.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
177      0     0 DROP       udp  --  *      *       217.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
178      1    80 DROP       udp  --  *      *       218.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
179      0     0 DROP       udp  --  *      *       219.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
180      0     0 DROP       udp  --  *      *       220.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
181      0     0 DROP       udp  --  *      *       222.0.0.0/8          0.0.0.0/0           udp dpts:1:50000
182      0     0 DROP       udp  --  *      *       27.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
183      0     0 DROP       udp  --  *      *       31.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
184      0     0 DROP       udp  --  *      *       37.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
185      0     0 DROP       udp  --  *      *       41.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
186      0     0 DROP       udp  --  *      *       42.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
187      0     0 DROP       udp  --  *      *       43.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
188      0     0 DROP       udp  --  *      *       46.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
189      0     0 DROP       udp  --  *      *       49.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
190      0     0 DROP       udp  --  *      *       5.0.0.0/8            0.0.0.0/0           udp dpts:1:50000
191      0     0 DROP       udp  --  *      *       58.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
192      0     0 DROP       udp  --  *      *       60.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
193      0     0 DROP       udp  --  *      *       61.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
194      0     0 DROP       udp  --  *      *       62.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
195      0     0 DROP       udp  --  *      *       63.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
196      0     0 DROP       udp  --  *      *       64.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
197      0     0 DROP       udp  --  *      *       65.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
198      0     0 DROP       udp  --  *      *       66.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
199      0     0 DROP       udp  --  *      *       69.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
200      0     0 DROP       udp  --  *      *       72.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
201      0     0 DROP       udp  --  *      *       78.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
202      0     0 DROP       udp  --  *      *       81.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
203      0     0 DROP       udp  --  *      *       82.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
204      0     0 DROP       udp  --  *      *       83.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
205      0     0 DROP       udp  --  *      *       84.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
206      0     0 DROP       udp  --  *      *       85.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
207      0     0 DROP       udp  --  *      *       86.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
208      0     0 DROP       udp  --  *      *       87.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
209      0     0 DROP       udp  --  *      *       88.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
210      0     0 DROP       udp  --  *      *       89.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
211      0     0 DROP       udp  --  *      *       90.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
212      0     0 DROP       udp  --  *      *       91.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
213      0     0 DROP       udp  --  *      *       92.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
214      2    72 DROP       udp  --  *      *       93.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
215      0     0 DROP       udp  --  *      *       94.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
216      0     0 DROP       udp  --  *      *       95.0.0.0/8           0.0.0.0/0           udp dpts:1:50000
217      0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12443
218      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:11443
219      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:11444
220     23  1104 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8447
221     24  1152 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8443
222      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8880
223    207 11096 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
224     19   996 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
225      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21
226      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
227      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:587
228      4   216 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
229      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:465
230     14   840 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110
231      2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:995
232      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143
233      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:993
234      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:106
235      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306
236      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5432
237      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9008
238      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9080
239      0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:137
240      0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:138
241      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
242      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445
243      0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194
244      0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
245      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
246     73  4488 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 code 0
247     77 23598 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW reject-with tcp-reset
3        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
4        0     0 ACCEPT     all  --  lo     lo      0.0.0.0/0            0.0.0.0/0
5        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    31004   25M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        1   333 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW reject-with tcp-reset
3        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
4      434 25606 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
5      328 21324 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

When troubleshooting a problem with rule ordering, it's a good idea to use the `-v` option to show the packet counters. In this case you would have seen an extremely high counter on chain number 4. — Andrew B, May 31 '14 at 04:28
Why do you have a gazillion `DROP` input rules when the INPUT chain *policy* is `DROP`? — user, May 31 '14 at 11:18
If I'm not mistaken, the rules are applied in the order they appear and the the INPUT chain policy is the last rule to be applied - which is *after* Plesk already accepts everything from line 218 to 245. My understanding is that after the "state" rules (RELATED, ESTABLISHED, INVALID, etc) that you want to configure specific IP address accepts, specific IP address drops, specific port accepts for everyone, and then drop whatever is left. Please explain my error. — NeedSomeHelp, May 31 '14 at 11:39

score 5 · Answer 1 · answered May 31 '14 at 03:08

5

Chain number 4 is allowing all packets from all sources.

answered May 31 '14 at 03:08

Andrew

81
3

When I read your answer I said "of course!" out loud... but in the end it seems to not have made the difference. I ran the command "iptables -D INPUT 4" to get rid of it, and a quick "/sbin/service iptables save" before running "service httpd restart" and I had visitors from several of the "blocked" class a networks. – NeedSomeHelp May 31 '14 at 04:43
@NeedSomeHelp In that case, please update your original post to include the output with the `-v` option. – Andrew B May 31 '14 at 06:13
Okay, I generated and ran a new script using the interface in Plesk - which basically gives you a way to create rules and then automatically generates a script that you can review before you tell it to apply configuration (at which time it runs the script). The script simply runs commands to enter the IPs into iptables. The above output was modified as per your (Andrew) request and reflects the new output from running the command "iptables --line-numbers -n -L -v" It seems to be in the same order that they were arranged in Plesk (See http://easycaptures.com/fs/uploaded/751/3170049599.jpg) – NeedSomeHelp May 31 '14 at 07:23
PS. I also noticed that with the -v switch you can see rule 4 was addressing the lo interface and that's why it made no difference on outside traffic when I deleted it --- but does make you wonder why there was no noticeable change in the way it ran without it. Also, this output was from a very short (minutes) time period. – NeedSomeHelp May 31 '14 at 07:32
2

No, rule (not chain) number 4 is not allowing everything through; that one is interface-limited to the loopback interface, so unless 31.41.219.180 is on the local host this is not the problem. – user May 31 '14 at 11:16
Are you sure that the 31.41.219.180 IP address wasn't already in the conntrack table? Since you're allowing ESTABLISHED connections, the iptables rules won't disallow current connections only NEW ones. You should be able to check by grepping /proc/net/ip_conntrack or using something like conn track-tools. – Andrew May 31 '14 at 20:12

score 3 · Answer 2 · answered May 31 '14 at 02:33

3

You can use IPTABLES to DROP everything except what you want allowed for both INPUT and OUTPUT. It makes for a lot cleaner read.

Here's an example of port 22 being open only.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -i eth0 -p tcp --dport 22 --m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

answered May 31 '14 at 02:33

ggstevens

66
3

Would that Output rule also block the first packet being sent back? – canadmos May 31 '14 at 02:50
Well, how would that help me in blocking entire class A address blocks - which is what I am attempting to do. This output is the result of a Plesk script that I moved to after managing them from the command line became tedious - which didn't take long. The only difference is that Plesk ask for "tcp or udp" and wanted ports supplied - which is why you see the "dpts:1:50000" included. – NeedSomeHelp May 31 '14 at 02:53

score 0 · Answer 3 · edited Jun 11 '20 at 10:02

0

P.S. The initial ACCEPT IP addresses are for CloudFlare.

If requests are coming via cloudflare - they are from one of cloudflare's IP addresses.

Not possible with IP tables

With IP tables it's only possible allow or deny all traffic from a given IP (and port-range). I.e. all traffic from cloudflare (or direct access but that's not the question), or none of it - it's an all or nothing switch. IP tables isn't going to do inspection to see if there's a X-Forwarded-for header or equivalent.

As shown in the question, Cloudflare's IP ranges already all have accept rules.

Handle a level lower

Handling whether to respond to requests needs to be done a level lower.

Using http requests and nginx as a vehicle to explain, by:

installing the realip module (so that the webserver config and logs use the end-client's IP address)
then using standard allow/deny rules:
```
 deny 31.41.219.180;

 ...
```

edited Jun 11 '20 at 10:02

Community

1

answered May 31 '14 at 09:11

AD7six

2,920
2
21
23

So... basically, you're suggesting that these addresses are coming through the CloudFlare IPs that are being accepted? I thought this was addressed when I installed mod_cloudflare Not so? And besides, CloudFlare should not prevent iptables from blocking these addresses from ssh - where I also see "blocked" IPs trying to log in. – NeedSomeHelp May 31 '14 at 09:25
mod_cloudflare modifies your apache config in the same way as the realip module I used as an example - it doesn't change the ip address the server talks to (cloudflare's). Alternatively look at it this way: cloudflare -> yourserver -> (IP tables -> apache -> web app): you've modified the apache config which is INSIDE yourserver. IP tables is a first-line defence - it runs before it passes anything to apache. – AD7six May 31 '14 at 09:27
I think you have a fundamental misunderstanding about what cloudflare is doing. Any request to example.com will use the dns records you've put on your cloudflare account - if it's got the orange cloud that means all requests to example.com come from _their IP addresses_. For ssh access I recommend you restrict access to e.g. your own IP and connect to the server _by IP address_ blocking all other IP addresses, (including cloudflare's). Depends what you're doing though (which isn't in the question). – AD7six May 31 '14 at 09:29
It is well within the realm of possibility that I have a fundamental misunderstanding about many things (including CloudFlare), and your single-IP-address-for-ssh idea may be a good one for many, but I log on from several locations and deal with this by allowing only public private key pair authentication. You are suggesting alternative ways to do things that don't apply. What I am trying to do is block entire blocks of IP addresses from doing ANYTHING on my server. So the question is, "Should iptables be blocking those addresses from all services (ports 1-50000), and if so why isn't it?" – NeedSomeHelp May 31 '14 at 10:02
"No, because the ip your rules see is the ip of cloudflare" – AD7six May 31 '14 at 10:16
Okay, for convenience let's agree on that. But let's also consider this: The entire 109.0.0.0 class A block is dropped in iptables (shown in output above), yet I have pages in the secure log where 109.73.51.85 is trying to access ssh (repeatedly getting booted for not having a private key). So how is CloudFlare letting those connections through? Using CloudFlare's "Threat Control", I have now blocked the 109.73.0.0/16 IP block. (They don't allow blocking an entire class A.) Yet I still have attempts to get into ssh from that same IP - which shouldn't be. I'll have to mull this over some more. – NeedSomeHelp May 31 '14 at 11:19
Good input though and valid consideration regarding CloudFlare (Thanks!); I just don't think it is the (entire?) problem. – NeedSomeHelp May 31 '14 at 11:21
You need to add logs/details for specific access to get more specific answers. I gambled you were referring to http access - but you're using ssh and http as examples. It makes all the difference if access is direct or proxied via cloudflare's servers. For proxied (http) traffic this answer is applicable for direct access @andrew's is relevant (checking rules for end-client ip addresses) it's not clear what logs you are looking at but you'll need to account for both. – AD7six May 31 '14 at 11:35

Why can blocked IPs get through my iptables? What's wrong with this configuration?

3 Answers3

Not possible with IP tables

Handle a level lower