IP tables blocking access to most hosts but some accesses being logged

Posted by epo on Server Fault See other posts from Server Fault or by epo
Published on 2010-05-23T17:53:41Z Indexed on 2010/05/24 2:32 UTC
Read the original article Hit count: 286

Filed under:
|

What am I getting wrong? A while back I locked down my web hosting service while hardening it or at least trying to. Apache listens on port 80 only and I set up iptables using the following:

IPS="list of IPs"

iptables --new-chain webtest
# Accept all established connections
iptables -A INPUT --protocol tcp --dport 80 --jump webtest
iptables -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
iptables -A webtest --match state --state ESTABLISHED,RELATED --jump ACCEPT

for ip in $IPS; do 
  iptables -A webtest --match state --state NEW --source $ip --jump ACCEPT
done
iptables -A webtest --jump DROP

However looking at my apache logs I notice various log entries in access_log, e.g.

221.192.199.35 - - [16/May/2010:13:04:31 +0100] "GET http://www.wantsfly.com/prx2.php?hash=926DE27C156B40E55E4CFC8F005053E2D81E6D688AF0 HTTP/1.0" 404 206 "-" "Mozilla/

4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

201.228.144.124 - - [16/May/2010:11:54:16 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"

207.46.195.224 - - [16/May/2010:04:06:48 +0100] "GET /robots.txt HTTP/1.1" 200 311 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"

How are these slipping through? I don't mind the indexing bots (though I am a little surprised to see them get through). I suppose they must be getting through using the ESTABLISHED,RELATED rules. And no, I can't for the life of me remember why the first match state rule is there

So 2 questions: is there a better way to set up iptables to restrict access to specified hosts? How exactly are these 3 examples slipping through?

© Server Fault or respective owner

Related posts about apache

Related posts about iptables