iptables block IP for x hours not working?

Question

On my Linux server, I want to ban IPs that access certain ports for 24 hours using IPtables. For this, I use the following IPtables rules:

# Check if IP is on banlist, if yes then drop
-A INPUT -m state --state NEW -j bancheck
-A bancheck -m recent --name blacklist   --rcheck --reap   --seconds 86400     -j LOG --log-prefix "IPT blacklist_ban: "
-A bancheck -m recent --name blacklist   --rcheck --reap   --seconds 86400     -j DROP

# PUT IPs on banlist
-A banlist -m recent --set --name blacklist -j LOG --log-prefix "IPT add_IP_to_blacklist: "
-A banlist -j DROP

# Ban access to these ports
-A INPUT -p tcp -m multiport --dports 23,25,445,1433,2323,3389,4899,5900   -j LOG --log-prefix "IPT syn_naughty_ports: "
-A INPUT -p tcp -m multiport --dports 23,25,445,1433,2323,3389,4899,5900   -j banlist

In the logs, I can verify that this works:

Mar 13 02:12:23 kernel: [39534099.648488] IPT syn_naughty_ports: IN=eth0 OUT= MAC=... SRC=218.189.140.2 DST=... LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=29768 DF PROTO=TCP SPT=65315 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar 13 02:12:23 kernel: [39534099.648519] IPT add_IP_to_blacklist: IN=eth0 OUT= MAC=... SRC=218.189.140.2 DST=...4 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=29768 DF PROTO=TCP SPT=65315 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar 13 02:12:26 kernel: [39534102.664136] IPT blacklist_ban: IN=eth0 OUT= MAC=... SRC=218.189.140.2 DST=... LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=4724 DF PROTO=TCP SPT=65315 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar 13 02:12:32 kernel: [39534108.666602] IPT blacklist_ban: IN=eth0 OUT= MAC=... SRC=218.189.140.2 DST=... LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=20826 DF PROTO=TCP SPT=65315 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0

But then the logs also show that just over 2 hours later, the same IP again accesses my system. Rather than being blocked right at the beginning through the chain "bancheck", the IP can access the port, which results in it being put on the "banlist" again (destination port in both cases was the same port 25).

Mar 13 04:35:59 kernel: [39542718.875859] IPT syn_naughty_ports: IN=eth0 OUT= MAC=... SRC=218.189.140.2 DST=... LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=4533 DF PROTO=TCP SPT=57719 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar 13 04:35:59 kernel: [39542718.875890] IPT add_IP_to_blacklist: IN=eth0 OUT= MAC=... SRC=218.189.140.2 DST=... LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=4533 DF PROTO=TCP SPT=57719 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar 13 04:36:02 kernel: [39542721.880524] IPT blacklist_ban: IN=eth0 OUT= MAC=... DST=... LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=12505 DF PROTO=TCP SPT=57719 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar 13 04:36:08 kernel: [39542727.882973] IPT blacklist_ban: IN=eth0 OUT= MAC=... SRC=218.189.140.2 DST=... LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=29092 DF PROTO=TCP SPT=57719 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0

But if I understand the IPtables rules right, it should be blocked within the first few lines, as long as it is within the 24 hours, and not be able to get down that far in the IPtables rule set where it is again being found to violate the ports rule, and again put on the "banlist".

Am I doing something wrong, or do I misunderstand the way the rules work?

Is it possible that IP had other connections going to the ports that are not on the ban list prior? In that case it will have RELATED, ESTABLISHED state(s) so the NEW state rule won't match. — Serguei, Oct 16 '22 at 17:56

score 0 · Answer 1 · answered Mar 23 '18 at 00:09

I have never tried using the recent module however I had a look at the man page for it (iptables-extensions(8)), and there are some additional parameters with defaults to consider....

The module itself accepts parameters, defaults shown:

   ip_list_tot=100
          Number of addresses remembered per table.
   ip_pkt_list_tot=20
          Number of packets per address remembered.
   ip_list_hash_size=0
          Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.

So the list of banned addresses is not unlimited ( which is a good thing).

So...

Did you have many IP's being added to the banlist ( ie over 100 ), or was it just the one bad actor.
Did anything else cause your iptables to be flushed and rebuilt?
Is it possible that they are running portscans causing one of the other buffers in the options to loose the earlier records. ( I think its supposed to be storing just the source IP, but not entirely sure )

iptables block IP for x hours not working?

1 Answers1