IPTables not blocking an IP address

Question

I am having a problem with comment spammers. Well at least I think I am. I am running CentOS and my Apache webserver keeps maxing out on RAM and then becomes unresponsive and crashes. If I run the following command:

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Then I get this list of connections that are open:

18 112.65.135.54
18 118.98.172.53
19 174.142.104.57
20 91.121.79.99
40 218.69.96.4

Searching those IPs on the website projecthoneypot.com told me that they are comment spammers. So I thought I would just ban them using iptables with this command:

iptables -A INPUT -s 174.142.104.57 -j REJECT

I have also tried using the command:

iptables -A INPUT -s 174.142.104.57 -j DROP

I then saved the state with: service iptables save

If I run the nestat command again, those IPs are still connected and some of their connections have increased in number.

Does anyone know what I am doing wrong? service iptables status does show iptables is running and has those rules in it. So I am completely stumped. Any help would be greatly appreciated.

score 4 · Answer 1 · answered Jul 09 '10 at 05:45

Without actually being able to see your full firewall configuration, my guess is that you have a mistake somewhere. Inbound traffic might be allowed by some other rule, such as one allowing RELATED and ESTABLISHED traffic, or allowed by port or destination. Moving the DROP or REJECT rule up in the chain will make it match earlier and not be overridden by a different rule.

Also, if inbound traffic is being blocked, then existing connections will technically still be considered "open" until your computer decides that the other server isn't responding. And if your computer isn't trying to communicate with the remote machine, then it will never know that there's no response on the other side.

+1 for the point about RELATED,ESTABLISHED - that would be my first thought. — David Z, Jul 09 '10 at 07:24

score 2 · Answer 2 · answered Oct 19 '13 at 11:06

2

I had the same problem.

Here is how I solved it by editing /etc/sysconfig/iptables

Move the blocking line, such as

-A INPUT -s xxx.xxx.xxx.xxx -j DROP

to the top of the -A list,

then I don't see any brute attack messages from that IP anymore.

answered Oct 19 '13 at 11:06

Joe Huang

215
2
8

IPTables not blocking an IP address

2 Answers2