Blocked IP in iptables but still seeing it in apache logs
I'm running a Centos 6.0 server, with Apache 2/MySQL. I've got iptables running. I followed these steps tonight to block all traffic from an IP using iptables:
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
iptables -A OUTPUT -d xxx.xxx.xxx.xxx -j DROP
service iptables save
service iptables restart
But I'm still seeing hits from this IP in my Apache access logs constantly, even after I restart Apache. iptables is definitely running and it's definitely the right IP address.
These are the rest of my iptables entries:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
3 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
4 ACCEPT tcp -- anywhere anywhere tcp dpt:http
5 ACCEPT tcp -- anywhere anywhere tcp dpt:https
6 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000
7 ACCEPT icmp -- anywhere anywhere icmp echo-request
8 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
What am I missing?
Solution 1:
At first I would suggest you use system-config-firewall or system-config-firewall-tui . There is a section with "custom rules" which will do this for you.
If you want to do this kind of things manually you have to insert the rule before the "ACCEPT" for tcp dpt:http . The easiest way is:
iptables -I INPUT 1 -s xxx.xxx.xxx.xxx -j DROP
( Insert at position 1 , instead of Append )
Solution 2:
Your first iptables rule allows the very traffic you are trying to block.
1 ACCEPT all -- anywhere anywhere
Order matters.