Results 1 to 7 of 7
  1. #1
    Join Date
    May 2006
    Posts
    244

    What gets processed first? TCP Wrappers or iptables?

    I'd imagine that TCP wrappers are processed first because I get messages in my logs saying that libwrap refused connection from IP.x.x.x, but shouldn't it be the other way around? I have the same IP in my iptables list and I'd have hoped that I don't have to see libwrap rejections at all.

  2. #2
    Join Date
    Jul 2006
    Posts
    53
    iptables is in the kernel and libwrap is a library for programs. So iptables. If what you say is true then my guess is that iptables isn't catching it for some reason.

    Graeme
    Secure your server with http://www.serverangel.com/

  3. #3
    Join Date
    May 2006
    Posts
    244
    That's my thought too.

    The IP range in question is 222.122.x.x. So my iptables is 222.122.0.0/16 which I *think* is right (and someone else here agreed with me). Doesn't look like that works though:

    # iptables -A INPUT -s 222.122.0.0/16 -j DROP

    Is that not correct?

  4. #4
    Join Date
    Jul 2006
    Posts
    53
    Your IP tables rule looks fine for dropping everything from that range. The only other thing I can think of is the ordering then. Do you have a rule before that rule that accepts all connections to your port?

    Like :

    Accpet from all connections on port 80
    Drop everything from 222.122.0.0/16

    222.122.0.0/16 would still be able to connect to port 80 as it would be matched with the accept rule before your drop rule.

    Graeme
    Secure your server with http://www.serverangel.com/

  5. #5
    Join Date
    Dec 2004
    Posts
    76
    you may try to insert rules not to append.

    iptables -I INPUT -s 222.122.0.0/16 -j DROP
    iptables -I INPUT -s 222.122.0.0/16 -j LOG --log-prefix "something_for_search"

    After that you may check the log to see if that rules is catch something

  6. #6
    You could even do the following, if you were really paranoid or something:

    iptables -t nat -I PREROUTING 1 -s 222.122.0.0/16 -j DROP

  7. #7
    Join Date
    May 2006
    Posts
    244
    I actually don't accept anything per iptables. I just have rules that deny, deny, deny (drop).

    That is what is probably the most baffling. I know iptables is working because I've tested it, but it isn't working for that range (at least, I still have SMTP attempts but I'm not finding any SSH login attempts any longer). I am going to take the paranoid approach. I haven't seen anything good coming from those IPs.
    Last edited by tamar; 09-07-2006 at 11:14 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •