Results 1 to 7 of 7
-
09-05-2006, 10:47 AM #1Junior Guru
- Join Date
- May 2006
- Posts
- 244
What gets processed first? TCP Wrappers or iptables?
I'd imagine that TCP wrappers are processed first because I get messages in my logs saying that libwrap refused connection from IP.x.x.x, but shouldn't it be the other way around? I have the same IP in my iptables list and I'd have hoped that I don't have to see libwrap rejections at all.
-
09-05-2006, 02:55 PM #2Junior Guru Wannabe
- Join Date
- Jul 2006
- Posts
- 53
iptables is in the kernel and libwrap is a library for programs. So iptables. If what you say is true then my guess is that iptables isn't catching it for some reason.
GraemeSecure your server with http://www.serverangel.com/
-
09-06-2006, 09:16 AM #3Junior Guru
- Join Date
- May 2006
- Posts
- 244
That's my thought too.
The IP range in question is 222.122.x.x. So my iptables is 222.122.0.0/16 which I *think* is right (and someone else here agreed with me). Doesn't look like that works though:
# iptables -A INPUT -s 222.122.0.0/16 -j DROP
Is that not correct?
-
09-07-2006, 05:29 AM #4Junior Guru Wannabe
- Join Date
- Jul 2006
- Posts
- 53
Your IP tables rule looks fine for dropping everything from that range. The only other thing I can think of is the ordering then. Do you have a rule before that rule that accepts all connections to your port?
Like :
Accpet from all connections on port 80
Drop everything from 222.122.0.0/16
222.122.0.0/16 would still be able to connect to port 80 as it would be matched with the accept rule before your drop rule.
GraemeSecure your server with http://www.serverangel.com/
-
09-07-2006, 05:54 AM #5Junior Guru Wannabe
- Join Date
- Dec 2004
- Posts
- 76
you may try to insert rules not to append.
iptables -I INPUT -s 222.122.0.0/16 -j DROP
iptables -I INPUT -s 222.122.0.0/16 -j LOG --log-prefix "something_for_search"
After that you may check the log to see if that rules is catch something
-
09-07-2006, 07:21 AM #6WHT Addict
- Join Date
- Feb 2006
- Posts
- 111
You could even do the following, if you were really paranoid or something:
iptables -t nat -I PREROUTING 1 -s 222.122.0.0/16 -j DROP
-
09-07-2006, 11:07 AM #7Junior Guru
- Join Date
- May 2006
- Posts
- 244
I actually don't accept anything per iptables. I just have rules that deny, deny, deny (drop).
That is what is probably the most baffling. I know iptables is working because I've tested it, but it isn't working for that range (at least, I still have SMTP attempts but I'm not finding any SSH login attempts any longer). I am going to take the paranoid approach. I haven't seen anything good coming from those IPs.Last edited by tamar; 09-07-2006 at 11:14 AM.