Iptables does not drop connection

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I have this iptables config:



# sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N DOCKER-USER
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-sshd -j RETURN


I am trying to do a Geoip restrict (necessary modules are installed) with:



iptables -A INPUT -m geoip ! --src-cc SK -m tcp -p tcp --dport 22 -j DROP


If source ip is not from SK => drop



I also tried to drop all incoming connections and allow only from SK:



iptables -P INPUT DROP
iptables -A INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j ACCEPT


...but doesn't work either. What would be a "good" config for me? I think the default -P INPUT ACCEPT is not the safest setting on this machine.







share|improve this question
























    up vote
    0
    down vote

    favorite












    I have this iptables config:



    # sudo iptables -S
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N DOCKER
    -N DOCKER-ISOLATION
    -N DOCKER-USER
    -N f2b-sshd
    -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
    -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
    -A INPUT -m conntrack --ctstate INVALID -j DROP
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
    -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
    -A INPUT -p udp -m udp --dport 1701 -j DROP
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j DROP
    -A FORWARD -m conntrack --ctstate INVALID -j DROP
    -A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i ppp+ -o eth0 -j ACCEPT
    -A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
    -A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
    -A FORWARD -j DOCKER-USER
    -A FORWARD -j DOCKER-ISOLATION
    -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -o docker0 -j DOCKER
    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
    -A FORWARD -i docker0 -o docker0 -j ACCEPT
    -A FORWARD -j DROP
    -A DOCKER-ISOLATION -j RETURN
    -A DOCKER-USER -j RETURN
    -A f2b-sshd -j RETURN


    I am trying to do a Geoip restrict (necessary modules are installed) with:



    iptables -A INPUT -m geoip ! --src-cc SK -m tcp -p tcp --dport 22 -j DROP


    If source ip is not from SK => drop



    I also tried to drop all incoming connections and allow only from SK:



    iptables -P INPUT DROP
    iptables -A INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j ACCEPT


    ...but doesn't work either. What would be a "good" config for me? I think the default -P INPUT ACCEPT is not the safest setting on this machine.







    share|improve this question






















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have this iptables config:



      # sudo iptables -S
      -P INPUT ACCEPT
      -P FORWARD ACCEPT
      -P OUTPUT ACCEPT
      -N DOCKER
      -N DOCKER-ISOLATION
      -N DOCKER-USER
      -N f2b-sshd
      -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
      -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
      -A INPUT -m conntrack --ctstate INVALID -j DROP
      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
      -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
      -A INPUT -p udp -m udp --dport 1701 -j DROP
      -A INPUT -p icmp -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m udp --dport 53 -j ACCEPT
      -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
      -A INPUT -j REJECT --reject-with icmp-host-prohibited
      -A INPUT -p icmp -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m udp --dport 53 -j ACCEPT
      -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
      -A INPUT -j REJECT --reject-with icmp-host-prohibited
      -A INPUT -p icmp -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m udp --dport 53 -j ACCEPT
      -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
      -A INPUT -j REJECT --reject-with icmp-host-prohibited
      -A INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j DROP
      -A FORWARD -m conntrack --ctstate INVALID -j DROP
      -A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -i ppp+ -o eth0 -j ACCEPT
      -A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
      -A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
      -A FORWARD -j DOCKER-USER
      -A FORWARD -j DOCKER-ISOLATION
      -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -o docker0 -j DOCKER
      -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
      -A FORWARD -i docker0 -o docker0 -j ACCEPT
      -A FORWARD -j DROP
      -A DOCKER-ISOLATION -j RETURN
      -A DOCKER-USER -j RETURN
      -A f2b-sshd -j RETURN


      I am trying to do a Geoip restrict (necessary modules are installed) with:



      iptables -A INPUT -m geoip ! --src-cc SK -m tcp -p tcp --dport 22 -j DROP


      If source ip is not from SK => drop



      I also tried to drop all incoming connections and allow only from SK:



      iptables -P INPUT DROP
      iptables -A INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j ACCEPT


      ...but doesn't work either. What would be a "good" config for me? I think the default -P INPUT ACCEPT is not the safest setting on this machine.







      share|improve this question












      I have this iptables config:



      # sudo iptables -S
      -P INPUT ACCEPT
      -P FORWARD ACCEPT
      -P OUTPUT ACCEPT
      -N DOCKER
      -N DOCKER-ISOLATION
      -N DOCKER-USER
      -N f2b-sshd
      -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
      -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
      -A INPUT -m conntrack --ctstate INVALID -j DROP
      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
      -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
      -A INPUT -p udp -m udp --dport 1701 -j DROP
      -A INPUT -p icmp -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m udp --dport 53 -j ACCEPT
      -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
      -A INPUT -j REJECT --reject-with icmp-host-prohibited
      -A INPUT -p icmp -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m udp --dport 53 -j ACCEPT
      -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
      -A INPUT -j REJECT --reject-with icmp-host-prohibited
      -A INPUT -p icmp -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m udp --dport 53 -j ACCEPT
      -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
      -A INPUT -j REJECT --reject-with icmp-host-prohibited
      -A INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j DROP
      -A FORWARD -m conntrack --ctstate INVALID -j DROP
      -A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -i ppp+ -o eth0 -j ACCEPT
      -A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
      -A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
      -A FORWARD -j DOCKER-USER
      -A FORWARD -j DOCKER-ISOLATION
      -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -o docker0 -j DOCKER
      -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
      -A FORWARD -i docker0 -o docker0 -j ACCEPT
      -A FORWARD -j DROP
      -A DOCKER-ISOLATION -j RETURN
      -A DOCKER-USER -j RETURN
      -A f2b-sshd -j RETURN


      I am trying to do a Geoip restrict (necessary modules are installed) with:



      iptables -A INPUT -m geoip ! --src-cc SK -m tcp -p tcp --dport 22 -j DROP


      If source ip is not from SK => drop



      I also tried to drop all incoming connections and allow only from SK:



      iptables -P INPUT DROP
      iptables -A INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j ACCEPT


      ...but doesn't work either. What would be a "good" config for me? I think the default -P INPUT ACCEPT is not the safest setting on this machine.









      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 3 at 20:56









      user66638

      1011




      1011




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          It looks like you have an accept rule above your drop rule for port 22:



          -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT


          Since you've already accepted the traffic, iptables will ignore the later defined drop rule.



          Try using -I to insert the rule at the top, rather than appending it to the bottom (-A):



          iptables -I INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j ACCEPT






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414631%2fiptables-does-not-drop-connection%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            It looks like you have an accept rule above your drop rule for port 22:



            -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT


            Since you've already accepted the traffic, iptables will ignore the later defined drop rule.



            Try using -I to insert the rule at the top, rather than appending it to the bottom (-A):



            iptables -I INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j ACCEPT






            share|improve this answer
























              up vote
              0
              down vote













              It looks like you have an accept rule above your drop rule for port 22:



              -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT


              Since you've already accepted the traffic, iptables will ignore the later defined drop rule.



              Try using -I to insert the rule at the top, rather than appending it to the bottom (-A):



              iptables -I INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j ACCEPT






              share|improve this answer






















                up vote
                0
                down vote










                up vote
                0
                down vote









                It looks like you have an accept rule above your drop rule for port 22:



                -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT


                Since you've already accepted the traffic, iptables will ignore the later defined drop rule.



                Try using -I to insert the rule at the top, rather than appending it to the bottom (-A):



                iptables -I INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j ACCEPT






                share|improve this answer












                It looks like you have an accept rule above your drop rule for port 22:



                -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT


                Since you've already accepted the traffic, iptables will ignore the later defined drop rule.



                Try using -I to insert the rule at the top, rather than appending it to the bottom (-A):



                iptables -I INPUT -p tcp -m geoip --source-country SK -m tcp --dport 22 -j ACCEPT







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 3 at 22:04









                L.Ray

                1967




                1967






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414631%2fiptables-does-not-drop-connection%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?