IPTables not blocking some connections

Question

I am using IPtables for a basic firewall, I have placed some blocks on those IP's attempting FTP, SSH conenctions, etc.

I have accept rules at the top for good measure to ensure that my monitoring services, my static IP addresses and DNS are not blocked by a bad rule. Below that I have my deny and log rules.

I have some IP addresses which I see are establishing some random PERL connections via port 80 and I have them in the logs. I have placed blocks on these IP's but they continue to connect to my server, any ideas? I have checked the ruleset and do not see any other allow aside from the allow all rule which is at the bottom.

Log entries

Mar 16 04:00:01 srv01 kernel: IN=eth0 OUT= MAC=00:14:22:73:02:3d:68:ef:bd:2c:67:bf:08:00 SRC=91.121.123.94 DST=174.133.52.170 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=TCP SPT=80 DPT=52560 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Mar 16 04:00:46 srv01 last message repeated 7 times
Mar 16 04:01:34 srv01 last message repeated 2 times
Mar 16 04:03:10 srv01 kernel: IN=eth0 OUT= MAC=00:14:22:73:02:3d:68:ef:bd:2c:67:bf:08:00 SRC=213.59.1.26 DST=174.133.52.170 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=47146 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Mar 16 04:03:55 srv01 last message repeated 6 times
Mar 16 04:04:53 srv01 last message repeated 5 times
Mar 16 04:06:19 srv01 kernel: IN=eth0 OUT= MAC=00:14:22:73:02:3d:68:ef:bd:2c:67:bf:08:00 SRC=83.222.3.90 DST=174.133.52.170 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=TCP SPT=80 DPT=35781 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Mar 16 04:07:04 srv01 last message repeated 7 times
Mar 16 04:07:53 srv01 last message repeated 3 times

Iptables rules

(These were cleared)

0     0 ACCEPT     all  --  *      *       96.228.70.3          0.0.0.0/0
0     0 ACCEPT     all  --  *      *       75.125.126.8         0.0.0.0/0
0     0 ACCEPT     all  --  *      *       216.12.193.9         0.0.0.0/0
0     0 ACCEPT     all  --  *      *       209.85.4.0/26        0.0.0.0/0
0     0 ACCEPT     all  --  *      *       66.98.240.192/26     0.0.0.0/0
0     0 ACCEPT     all  --  *      *       216.40.193.0/24      0.0.0.0/0
0     0 ACCEPT     all  --  *      *       70.84.160.0/24       0.0.0.0/0
0     0 ACCEPT     all  --  *      *       70.85.125.0/24       0.0.0.0/0
0     0 ACCEPT     all  --  *      *       216.234.234.0/24     0.0.0.0/0
0     0 ACCEPT     all  --  *      *       67.19.0.0/24         0.0.0.0/0
0     0 ACCEPT     all  --  *      *       12.96.160.0/24       0.0.0.0/0
0     0 ACCEPT     all  --  *      *       67.18.139.0/24       0.0.0.0/0
0     0 ACCEPT     all  --  *      *       204.93.240.0/24      0.0.0.0/0
0     0 ACCEPT     all  --  *      *       204.93.177.0/24      0.0.0.0/0
0     0 ACCEPT     all  --  *      *       199.27.128.0/21      0.0.0.0/0
295 29776 ACCEPT     all  --  *      *       173.245.48.0/20      0.0.0.0/0
0     0 ACCEPT     all  --  *      *       103.22.200.0/22      0.0.0.0/0
0     0 ACCEPT     all  --  *      *       141.101.64.0/18      0.0.0.0/0
0     0 ACCEPT     all  --  *      *       108.162.192.0/18     0.0.0.0/0
1    60 DROP       all  --  *      *       81.176.0.0/15        0.0.0.0/0
0     0 DROP       all  --  *      *       213.59.0.0/16        0.0.0.0/0
0     0 DROP       all  --  *      *       83.222.3.90          0.0.0.0/0
0     0 DROP       all  --  *      *       91.121.123.94        0.0.0.0/0
0     0 DROP       all  --  *      *       10.0.0.0/8           0.0.0.0/0
0     0 DROP       all  --  *      *       169.254.0.0/16       0.0.0.0/0
0     0 DROP       all  --  *      *       172.16.0.0/12        0.0.0.0/0
0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0
0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0
0     0 DROP       all  --  *      *       240.0.0.0/5          0.0.0.0/0
0     0 DROP       all  --  *      *       239.255.255.0/24     0.0.0.0/0
0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID

FULL IPTABLES

LOG all -- 213.59.1.0/24 0.0.0.0/0 LOG flags 0 level 4
LOG all -- 0.0.0.0/0 213.59.1.0/24 LOG flags 0 level 4
LOG all -- 91.121.123.0/24 0.0.0.0/0 LOG flags 0 level 4
LOG all -- 0.0.0.0/0 91.121.123.0/24 LOG flags 0 level 4
LOG all -- 83.222.3.0/24 0.0.0.0/0 LOG flags 0 level 4
LOG all -- 0.0.0.0/0 83.222.3.0/24 LOG flags 0 level 4
ACCEPT all -- 76.183.22.66 0.0.0.0/0
ACCEPT all -- 96.228.70.3 0.0.0.0/0
ACCEPT all -- 75.125.126.8 0.0.0.0/0
ACCEPT all -- 216.12.193.9 0.0.0.0/0
ACCEPT all -- 209.85.4.0/26 0.0.0.0/0
ACCEPT all -- 66.98.240.192/26 0.0.0.0/0
ACCEPT all -- 216.40.193.0/24 0.0.0.0/0
ACCEPT all -- 70.84.160.0/24 0.0.0.0/0
ACCEPT all -- 70.85.125.0/24 0.0.0.0/0
ACCEPT all -- 216.234.234.0/24 0.0.0.0/0
ACCEPT all -- 67.19.0.0/24 0.0.0.0/0
ACCEPT all -- 12.96.160.0/24 0.0.0.0/0
ACCEPT all -- 67.18.139.0/24 0.0.0.0/0
ACCEPT all -- 204.93.240.0/24 0.0.0.0/0
ACCEPT all -- 204.93.177.0/24 0.0.0.0/0
ACCEPT all -- 199.27.128.0/21 0.0.0.0/0
ACCEPT all -- 173.245.48.0/20 0.0.0.0/0
ACCEPT all -- 103.22.200.0/22 0.0.0.0/0
ACCEPT all -- 141.101.64.0/18 0.0.0.0/0
ACCEPT all -- 108.162.192.0/18 0.0.0.0/0
DROP all -- 199.255.209.70 0.0.0.0/0
DROP all -- 41.107.218.0/24 0.0.0.0/0
DROP all -- 190.246.111.0/24 0.0.0.0/0
DROP all -- 201.253.142.13 0.0.0.0/0
DROP all -- 190.175.152.29 0.0.0.0/0
DROP all -- 31.47.193.0/24 0.0.0.0/0
DROP all -- 203.223.95.0/24 0.0.0.0/0
DROP all -- 213.184.224.0/24 0.0.0.0/0
DROP all -- 178.122.25.0/24 0.0.0.0/0
DROP all -- 93.84.8.0/24 0.0.0.0/0
DROP all -- 178.122.148.0/24 0.0.0.0/0
DROP all -- 178.126.12.0/24 0.0.0.0/0
DROP all -- 93.85.47.0/24 0.0.0.0/0
DROP all -- 168.167.156.0/24 0.0.0.0/0
DROP all -- 67.205.74.88 0.0.0.0/0
DROP all -- 72.55.168.51 0.0.0.0/0
DROP all -- 205.204.67.252 0.0.0.0/0
DROP all -- 41.79.124.0/24 0.0.0.0/0
DROP all -- 201.223.93.0/24 0.0.0.0/0
DROP all -- 180.76.5.0/24 0.0.0.0/0
DROP all -- 220.178.87.62 0.0.0.0/0
DROP all -- 60.166.16.196 0.0.0.0/0
DROP all -- 180.137.165.0/24 0.0.0.0/0
DROP all -- 124.237.90.0/24 0.0.0.0/0
DROP all -- 111.224.250.132 0.0.0.0/0
DROP all -- 218.93.127.131 0.0.0.0/0
DROP all -- 222.73.220.67 0.0.0.0/0
DROP all -- 122.227.111.226 0.0.0.0/0
DROP all -- 202.119.43.17 0.0.0.0/0
DROP all -- 222.200.180.67 0.0.0.0/0
DROP all -- 190.1.244.175 0.0.0.0/0
DROP all -- 186.0.87.0/24 0.0.0.0/0
DROP all -- 199.59.144.0/22 0.0.0.0/0
DROP all -- 186.149.17.64 0.0.0.0/0
DROP all -- 91.205.41.188 0.0.0.0/0
DROP all -- 90.223.205.138 0.0.0.0/0
DROP all -- 62.216.239.189 0.0.0.0/0
DROP all -- 109.123.118.0/24 0.0.0.0/0
DROP all -- 197.122.161.65 0.0.0.0/0
DROP all -- 89.2.16.204 0.0.0.0/0
DROP all -- 81.65.208.29 0.0.0.0/0
DROP all -- 91.121.123.94 0.0.0.0/0
DROP all -- 212.60.65.174 0.0.0.0/0
DROP all -- 82.165.153.99 0.0.0.0/0
DROP all -- 217.6.49.106 0.0.0.0/0
DROP all -- 88.198.102.204 0.0.0.0/0
DROP all -- 217.172.48.239 0.0.0.0/0
DROP all -- 188.138.16.0/24 0.0.0.0/0
DROP all -- 62.141.45.0/24 0.0.0.0/0
DROP all -- 182.64.181.0/24 0.0.0.0/0
DROP all -- 122.164.51.0/24 0.0.0.0/0
DROP all -- 117.194.72.0/24 0.0.0.0/0
DROP all -- 117.201.66.0/24 0.0.0.0/0
DROP all -- 117.212.225.0/24 0.0.0.0/0
DROP all -- 120.59.59.208 0.0.0.0/0
DROP all -- 117.229.21.0/24 0.0.0.0/0
DROP all -- 117.199.191.0/24 0.0.0.0/0
DROP all -- 59.98.137.219 0.0.0.0/0
DROP all -- 59.93.197.44 0.0.0.0/0
DROP all -- 117.198.176.14 0.0.0.0/0
DROP all -- 182.156.251.0/24 0.0.0.0/0
DROP all -- 115.242.141.0/24 0.0.0.0/0
DROP all -- 101.63.201.0/24 0.0.0.0/0
DROP all -- 14.98.74.89 0.0.0.0/0
DROP all -- 115.69.254.0/24 0.0.0.0/0
DROP all -- 1.39.240.197 0.0.0.0/0
DROP all -- 202.155.87.39 0.0.0.0/0
DROP all -- 202.158.84.104 0.0.0.0/0
DROP all -- 110.50.85.0/24 0.0.0.0/0
DROP all -- 180.247.5.12 0.0.0.0/0
DROP all -- 180.243.170.0/24 0.0.0.0/0
DROP all -- 180.247.216.0/24 0.0.0.0/0
DROP all -- 125.165.95.163 0.0.0.0/0
DROP all -- 180.251.176.160 0.0.0.0/0
DROP all -- 110.137.212.184 0.0.0.0/0
DROP all -- 180.244.211.234 0.0.0.0/0
DROP all -- 79.127.0.0/17 0.0.0.0/0
DROP all -- 46.100.128.43 0.0.0.0/0
DROP all -- 81.12.40.120 0.0.0.0/0
DROP all -- 84.94.78.217 0.0.0.0/0
DROP all -- 85.20.32.87 0.0.0.0/0
DROP all -- 93.63.89.223 0.0.0.0/0
DROP all -- 212.97.32.0/24 0.0.0.0/0
DROP all -- 219.94.193.50 0.0.0.0/0
DROP all -- 23.132.29.45 0.0.0.0/0
DROP all -- 79.140.228.27 0.0.0.0/0
DROP all -- 195.93.208.202 0.0.0.0/0
DROP all -- 2.134.69.0/24 0.0.0.0/0
DROP all -- 95.57.70.0/24 0.0.0.0/0
DROP all -- 95.57.156.152 0.0.0.0/0
DROP all -- 201.174.34.178 0.0.0.0/0
DROP all -- 105.137.48.33 0.0.0.0/0
DROP all -- 41.250.215.0/24 0.0.0.0/0
DROP all -- 188.121.60.40 0.0.0.0/0
DROP all -- 94.75.201.82 0.0.0.0/0
DROP all -- 182.177.238.0/24 0.0.0.0/0
DROP all -- 39.48.224.0/24 0.0.0.0/0
DROP all -- 39.54.142.0/24 0.0.0.0/0
DROP all -- 39.51.164.0/24 0.0.0.0/0
DROP all -- 182.177.189.0/24 0.0.0.0/0
DROP all -- 182.186.21.0/24 0.0.0.0/0
DROP all -- 39.54.215.0/24 0.0.0.0/0
DROP all -- 182.177.91.0/24 0.0.0.0/0
DROP all -- 182.185.35.214 0.0.0.0/0
DROP all -- 182.182.32.124 0.0.0.0/0
DROP all -- 182.183.202.0/24 0.0.0.0/0
DROP all -- 119.155.21.0/24 0.0.0.0/0
DROP all -- 202.165.198.0/24 0.0.0.0/0
DROP all -- 190.237.191.0/24 0.0.0.0/0
DROP all -- 201.240.232.206 0.0.0.0/0
DROP all -- 124.107.39.96 0.0.0.0/0
DROP all -- 31.63.85.121 0.0.0.0/0
DROP all -- 78.9.44.40 0.0.0.0/0
DROP all -- 89.74.98.14 0.0.0.0/0
DROP all -- 109.166.128.3 0.0.0.0/0
DROP all -- 92.84.205.223 0.0.0.0/0
DROP all -- 92.83.33.28 0.0.0.0/0
DROP all -- 83.222.3.90 0.0.0.0/0
DROP all -- 46.20.187.14 0.0.0.0/0
DROP all -- 188.168.92.65 0.0.0.0/0
DROP all -- 46.50.183.5 0.0.0.0/0
DROP all -- 46.17.97.0/24 0.0.0.0/0
DROP all -- 81.176.0.0/15 0.0.0.0/0
DROP all -- 213.59.0.0/16 0.0.0.0/0
DROP all -- 2.88.190.101 0.0.0.0/0
DROP all -- 82.214.92.0/24 0.0.0.0/0
DROP all -- 109.106.243.119 0.0.0.0/0
DROP all -- 203.211.149.190 0.0.0.0/0
DROP all -- 116.15.108.60 0.0.0.0/0
DROP all -- 121.171.243.76 0.0.0.0/0
DROP all -- 112.156.97.36 0.0.0.0/0
DROP all -- 85.53.71.27 0.0.0.0/0
DROP all -- 41.95.103.0/24 0.0.0.0/0
DROP all -- 114.42.154.33 0.0.0.0/0
DROP all -- 122.118.51.251 0.0.0.0/0
DROP all -- 114.26.165.82 0.0.0.0/0
DROP all -- 140.92.88.31 0.0.0.0/0
DROP all -- 61.19.66.30 0.0.0.0/0
DROP all -- 61.19.246.92 0.0.0.0/0
DROP all -- 197.2.38.0/24 0.0.0.0/0
DROP all -- 178.211.38.0/24 0.0.0.0/0
DROP all -- 195.226.215.0/24 0.0.0.0/0
DROP all -- 178.137.28.0/24 0.0.0.0/0
DROP all -- 109.207.202.156 0.0.0.0/0
DROP all -- 91.207.210.62 0.0.0.0/0
DROP all -- 178.158.100.0/24 0.0.0.0/0
DROP all -- 31.40.224.202 0.0.0.0/0
DROP all -- 213.238.20.228 0.0.0.0/0
DROP all -- 94.200.1.197 0.0.0.0/0
DROP all -- 184.73.237.95 0.0.0.0/0
DROP all -- 149.169.125.107 0.0.0.0/0
DROP all -- 32.88.197.196 0.0.0.0/0
DROP all -- 12.192.107.190 0.0.0.0/0
DROP all -- 68.68.22.236 0.0.0.0/0
DROP all -- 97.87.88.46 0.0.0.0/0
DROP all -- 98.242.217.240 0.0.0.0/0
DROP all -- 75.68.163.125 0.0.0.0/0
DROP all -- 66.231.84.242 0.0.0.0/0
DROP all -- 208.67.100.12 0.0.0.0/0
DROP all -- 199.47.148.0/22 0.0.0.0/0
DROP all -- 76.12.235.50 0.0.0.0/0
DROP all -- 67.210.12.12 0.0.0.0/0
DROP all -- 216.245.200.53 0.0.0.0/0
DROP all -- 74.63.219.42 0.0.0.0/0
DROP all -- 35.3.108.108 0.0.0.0/0
DROP all -- 199.189.249.84 0.0.0.0/0
DROP all -- 207.46.232.182 0.0.0.0/0
DROP all -- 208.86.228.222 0.0.0.0/0
DROP all -- 207.29.253.170 0.0.0.0/0
DROP all -- 159.182.172.171 0.0.0.0/0
DROP all -- 173.244.158.199 0.0.0.0/0
DROP all -- 184.82.8.145 0.0.0.0/0
DROP all -- 64.127.130.53 0.0.0.0/0
DROP all -- 67.151.191.13 0.0.0.0/0
DROP all -- 70.34.195.44 0.0.0.0/0
DROP all -- 67.215.238.10 0.0.0.0/0
DROP all -- 184.95.51.40 0.0.0.0/0
DROP all -- 66.85.190.124 0.0.0.0/0
DROP all -- 184.154.217.135 0.0.0.0/0
DROP all -- 173.97.3.159 0.0.0.0/0
DROP all -- 206.169.24.73 0.0.0.0/0
DROP all -- 74.54.220.199 0.0.0.0/0
DROP all -- 184.173.186.57 0.0.0.0/0
DROP all -- 184.173.165.235 0.0.0.0/0
DROP all -- 184.173.172.117 0.0.0.0/0
DROP all -- 76.164.224.0/20 0.0.0.0/0
DROP all -- 76.164.192.0/19 0.0.0.0/0
DROP all -- 72.26.195.73 0.0.0.0/0
DROP all -- 98.126.179.14 0.0.0.0/0
DROP all -- 208.79.210.187 0.0.0.0/0
DROP all -- 209.160.24.136 0.0.0.0/0
DROP all -- 186.88.94.122 0.0.0.0/0
DROP all -- 113.22.119.248 0.0.0.0/0
DROP all -- 115.77.86.0 0.0.0.0/0
DROP all -- 113.168.111.0/24 0.0.0.0/0
DROP all -- 113.162.56.0/24 0.0.0.0/0
DROP all -- 46.161.86.0/24 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 169.254.0.0/16 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 224.0.0.0/4 0.0.0.0/0
DROP all -- 240.0.0.0/5 0.0.0.0/0
DROP all -- 239.255.255.0/24 0.0.0.0/0
DROP all -- 255.255.255.255 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 LOG flags 0 level 4
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21 LOG flags 0 level 4

Answer 1

From what you have posted, you are only dropping traffic that is either from 81.176.0.0/15 or is in an INVALID state. You do have other drop entries, but they are not reached. Are there other rules that might be relevant? I see no LOG targets, but you're showing me logs.

Please paste your full ruleset.

Answer 2

The source port is 80 for these connections and the flags are ACK SYN, which means that your machine sent SYN to port 80 of those hosts and thus initiated a connection.

Often there's a rule at the top that allows RELATED and ESTABLISHED sessions, and these probaly match that rule. Might this be the case?

Please post your full config, a part of a chain doesn't make any sense.

Answer 3

It appears you want a reject or drop policy on your chains. The default is accept. As others have noted RELATED and ESTABLISHED connections will be accepted.

From the looks of your rules you are establishing rules piece by piece rather than with policies and rules. Try installing Shorewall firewall. It is packed for many distributions. The documentation is good and there are working example configurations for 1, 2, and 3 interfaces. This covers standalone systems, firewalls, and firewalls with a DMZ.