iptables does not block ip after adding drop command

iptables

I'm trying to block an ip (144.76.68.14). I add the command iptables -A INPUT -s 144.76.68.14 -j DROP but the ip is not blocked!... Here is the content of iptables -S :

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N INPUT_direct
-N INPUT_ZONES_SOURCE
-N INPUT_ZONES
-N FORWARD_direct
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_IN_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N OUTPUT_direct
-N IN_public
-N IN_public_log
-N IN_public_deny
-N IN_public_allow
-N FWDI_public
-N FWDI_public_log
-N FWDI_public_deny
-N FWDI_public_allow
-N FWDO_public
-N FWDO_public_log
-N FWDO_public_deny
-N FWDO_public_allow
-A INPUT -s 141.98.80.58/32 -j DROP
-A INPUT -s 83.155.61.155/32 -j ACCEPT
-A INPUT -s 41.202.219.71/32 -j DROP
-A INPUT -s 54.36.150.172/32 -j DROP
-A INPUT -s 151.80.39.210/32 -j DROP
-A INPUT -s 5.196.87.130/32 -j DROP
-A INPUT -s 83.155.61.155/32 -j DROP
-A INPUT -s 65.154.226.100/32 -j ACCEPT
-A INPUT -s 65.154.226.100/32 -j DROP
-A INPUT -s 159.69.117.167/32 -j DROP
-A INPUT -s 213.217.0.183/32 -j DROP
-A INPUT -s 141.98.81.196/32 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 141.98.81.196/32 -j DROP
-A INPUT -s 141.98.80.58/32 -j DROP
-A INPUT -s 23.100.232.233/32 -j DROP
-A INPUT -s 5.9.6.51/32 -j DROP
-A INPUT -s 185.191.171.0/24 -j DROP
-A INPUT -s 45.93.201.119/32 -j DROP
-A INPUT -s 125.64.94.213/32 -j DROP
-A INPUT -s 52.183.60.91/32 -j DROP
-A INPUT -s 144.76.68.14/32 -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A INPUT_direct -p tcp -m multiport --dports 110,995,143,993,587,465,4190 -m set --match-set f2b-dovecot src -j REJECT --reject-with icmp-port-unreachable
-A INPUT_direct -p tcp -m multiport --dports 22 -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
-A INPUT_direct -p tcp -m multiport --dports 25,465,587 -m set --match-set f2b-postfix src -j REJECT --reject-with icmp-port-unreachable
-A INPUT_direct -p tcp -m multiport --dports 10000 -m set --match-set f2b-webmin-auth src -j REJECT --reject-with icmp-port-unreachable
-A INPUT_ZONES -g IN_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 110 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 10000:10100 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 20000 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1025:65535 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
# Warning: iptables-legacy tables present, use iptables-legacy to see them

You have stateful firewall configuration as indicated by the option:

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

A stateful firewall like that is much more performant for allowed traffic.

Rather than evaluating every packet of all traffic that is allowed against a (potentially complex) rule set only new connections need to be evaluated fully. Once the new connection is allowed all subsequent traffic over that connection is allowed by this rule, significantly the reducing processing needed for all the subsequent traffic between your server and your client.

Changing the rule set in a stateful firewall does not clear the existing table of allowed established and related connections.

All connections, that were in the established connection state table before your firewall change, still remain in the allowed connections cache after you change/add/remove iptables rules. Those established connections will not be re-evaluated against the complete new rule set.

If you change your firewall rule set so that traffic that was previously allowed is no longer allowed, and that rule is gets evaluated after the -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT rule, then the traffic will not get blocked immediately. Existing connections remain allowed and only new connections will get blocked. (You used iptables -A INPUT ... to append your new rule at the end of the INPUT chain so it will be evaluated after the conntrack rule and is impacted by that.)

You can avoid that in two different ways:

  • Insert the rule blocking specific traffic in a specific order so it gets evaluated before being allowed by the conntrack module. That's what you already see in your config:

    -A INPUT -s 213.217.0.183/32 -j DROP
-A INPUT -s 141.98.81.196/32 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Creating many of such rules of course negates some of the benefits of using a stateful firewall as each of those rules will need to be evaluated for every packet, also for all traffic that is allowed (and most servers see much more traffic that is allowed over established connections then new connections and/or unwanted traffic).

  • Flush the conntrack connection table after a rule change.
    Depending on the rule change you can flush the complete table, or you can flush specific entries. Install conntrack-tools and use the conntrack command for example to:

     conntrack -D -s 10.2.3.4
        Delete all flow whose source address is 10.2.3.4

Related

msmtp sendmail substitutions don't work (%U etc.)
OSSEC is not running
Given an existing unencrypted AWS EFS volume, can somebody give me a path for encrypting it without data loss?
Getting no servers could be reached when using host, nslookup and dig
Wireguard connection fails when DNS isn't working
"or die()" in Python
Why does wget only download the index.html for some websites?
Render partial :collection => @array specify variable name
How can I preserve new lines in an AngularJS partial?
RabbitMQ by Example: Multiple Threads, Channels and Queues
tap gesture recognizer - which object was tapped?
How do I add a section title in UICollectionView?