iptables after drop ftp goes through

Question

I cannot deny access to FTP for a IP address.

First of all i needed to deny everything so i did like this:

#iptables -F
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP

Then I opened FTP:

#modprobe ip_conntrack_ftp
#iptables -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -p ALL -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

The above works but I have all so tried with this one to:

#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
#iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.5.110 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -s 192.168.5.110 --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.5.110 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -p tcp -s 192.168.5.110 --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -s 192.168.5.110 --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 20 -m state --state ESTABLISHED -j ACCEPT

Now I need to deny one IP so that one computer cannot access FTP, lets say 192.168.5.9:

#iptables -A INPUT -s 192.168.5.9 -d 192.168.5.110 -p tcp -m tcp --dport 21 -j DROP

I have also tried this

#iptables -A INPUT -p tcp -s 192.168.5.9 --dport 21 -j DROP

And it says in iptables -L that it is dropped but when I use fillezilla it goes through. I have droped ports 20,21,22.

So why is the connection being permitted when the rules should be dropping it?

Answer 1

The important thing to realize here is that firewall within a single table are processed in order. As soon as a match is found, processing stops for that chain and the action is taken.

So what you probably need to do is put your drop for ftp from that IP address before the general rule that permits FTP. The -A appends a rule to a chain. What you probably want is -I to insert the rule to a chain. By default the rule is inserted at the top of the chain when you use -I, but you can also pass a number that will place it ahead of the number of the rule you specified.