Results 1 to 7 of 7
  1. #1

    What gets processed first? TCP Wrappers or iptables?

    I'd imagine that TCP wrappers are processed first because I get messages in my logs saying that libwrap refused connection from IP.x.x.x, but shouldn't it be the other way around? I have the same IP in my iptables list and I'd have hoped that I don't have to see libwrap rejections at all.

  2. #2
    Join Date
    Jul 2006
    iptables is in the kernel and libwrap is a library for programs. So iptables. If what you say is true then my guess is that iptables isn't catching it for some reason.

    Secure your server with

  3. #3
    That's my thought too.

    The IP range in question is 222.122.x.x. So my iptables is which I *think* is right (and someone else here agreed with me). Doesn't look like that works though:

    # iptables -A INPUT -s -j DROP

    Is that not correct?

  4. #4
    Join Date
    Jul 2006
    Your IP tables rule looks fine for dropping everything from that range. The only other thing I can think of is the ordering then. Do you have a rule before that rule that accepts all connections to your port?

    Like :

    Accpet from all connections on port 80
    Drop everything from would still be able to connect to port 80 as it would be matched with the accept rule before your drop rule.

    Secure your server with

  5. #5
    Join Date
    Dec 2004
    you may try to insert rules not to append.

    iptables -I INPUT -s -j DROP
    iptables -I INPUT -s -j LOG --log-prefix "something_for_search"

    After that you may check the log to see if that rules is catch something

  6. #6
    You could even do the following, if you were really paranoid or something:

    iptables -t nat -I PREROUTING 1 -s -j DROP

  7. #7
    I actually don't accept anything per iptables. I just have rules that deny, deny, deny (drop).

    That is what is probably the most baffling. I know iptables is working because I've tested it, but it isn't working for that range (at least, I still have SMTP attempts but I'm not finding any SSH login attempts any longer). I am going to take the paranoid approach. I haven't seen anything good coming from those IPs.
    Last edited by tamar; 09-07-2006 at 11:14 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts