IPtables Rules to Block IP Range

I've applied the following rules from a text file called "iptables.save" to iptables.

But to my dismay, I found that the ip address 107.22.26.176 is still able to access my server via TCP.

What did I do wrong? Is the order of the rules incorrect?

Thank you for any advice.

iptables.save
===================

*filter

-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -s 107.20.0.0/14 -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

Update1: Here's the output of iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             loopback/8          reject-with icmp-port-unreachable 

DROP       all  --  ec2-107-20-0-0.compute-1.amazonaws.com/14  anywhere            

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
LOG        all  --  anywhere             anywhere            limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: ' 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere

Update2: I think I know why. I use Cloudflare to resolve my domain name, so iptables only sees Cloudflare's IP addresses instead of the visitors' IPs. My question now is, is there a way for iptables to see the real IPs? Thanks.

GooDoo

Posted 2013-04-09T08:51:28.177

Reputation: 187

So you ran iptables-restore < iptables.save and it's not working? Can you post the output of iptables -L? – Stefan Seidel – 2013-04-09T09:19:55.423

Yes, I've refreshed my firewall with the command. The output of iptables -L is updated as above. Thanks for your help. – GooDoo – 2013-04-09T09:32:16.883

Answers

Answering the second question - your reverse proxy (as I assume that's what cloudflare is) should be giving you an HTTP header telling you the actual connecting IP — x-forwarded-for.

http://en.wikipedia.org/wiki/X-Forwarded-For

However, that means iptables is not the right tool for the job. You need to filter these connections at the application level (in your webserver config, based on the value of that http header). Or maybe cloudflare has their own way to block IPs at the perimeter.

Julian

Posted 2013-04-09T08:51:28.177

Reputation: 341

The first INPUT rule should not be 'Accept all'. All the other rules lose effect then. Try putting the first rule of iptables.save at the end or just delete it. Then do the restore command again.

Alternatively you can enter:

iptables -D INPUT -i lo -j ACCEPT

in the terminal

Circuit in the wall

Posted 2013-04-09T08:51:28.177

Reputation: 101

Thanks @SomeBloke. Would it be the same if I move -A INPUT -s 107.20.0.0/14 -j DROP to the top of iptables.save? – GooDoo – 2013-04-09T10:02:35.697

Well, then you would just block all rules except one. I suggest removing 'accept all' rule completely, since default behavior for packets that don't meet any rules is ACCEPT.

P.S. Did it work? I'm not completely sure it will :) – Circuit in the wall – 2013-04-09T19:06:34.507