Good day. In general, I try to block several IP spammers so that they do not go to the site and server. To check that everything works, I also added my own IP. As a result, after saving with the service iptables save command and rebooting the server, I can still access the site as well as login to the server via ssh.

Here’s what the / etc / sysconfig / iptables file looks like:

# Generated by iptables-save v1.4.21 on Thu Dec 8 18:42:17 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [41131:31130358] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 31915 -j ACCEPT -A INPUT -p tcp -m tcp --dport 51915 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -s 46.161.9.8/32 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 185.121.190.12/32 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 41.57.116.0/24 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 41.57.117.0/24 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Dec 8 18:42:17 2016

The systemctl status iptables command reports that iptables is up and running

 # systemctl status iptables ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled) Active: active (exited) since Thu 2016-12-08 18:38:34 CET; 4min 6s ago Process: 764 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) Main PID: 764 (code=exited, status=0/SUCCESS) CGroup: /system.slice/iptables.service

But the output of the command iptables -vnL

 # iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 95808 10M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 32 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 116 11037 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 50006 3899K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 46 2740 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 11343 649K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:31915 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:51915 495 26375 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 REJECT all -- * * 46.161.9.8 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 185.121.190.12 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 41.57.116.0/24 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 41.57.117.0/24 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 156K packets, 116M bytes) pkts bytes target prot opt in out source destination

However, my IP is not blocked, please tell me what could be the reason. CentOS Linux release 7.1.1503 (Core) server, working as root

  • Have you tried to put the prohibiting rules above the rest? - Gravit
  • Similar problem! Found a solution? - wtfowned

0