IP tables blocking access to most hosts but some accesses being logged
Posted
by epo
on Server Fault
See other posts from Server Fault
or by epo
Published on 2010-05-23T17:53:41Z
Indexed on
2010/05/24
2:32 UTC
Read the original article
Hit count: 286
What am I getting wrong? A while back I locked down my web hosting service while hardening it or at least trying to. Apache listens on port 80 only and I set up iptables using the following:
IPS="list of IPs"
iptables --new-chain webtest
# Accept all established connections
iptables -A INPUT --protocol tcp --dport 80 --jump webtest
iptables -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
iptables -A webtest --match state --state ESTABLISHED,RELATED --jump ACCEPT
for ip in $IPS; do
iptables -A webtest --match state --state NEW --source $ip --jump ACCEPT
done
iptables -A webtest --jump DROP
However looking at my apache logs I notice various log entries in access_log, e.g.
221.192.199.35 - - [16/May/2010:13:04:31 +0100] "GET http://www.wantsfly.com/prx2.php?hash=926DE27C156B40E55E4CFC8F005053E2D81E6D688AF0 HTTP/1.0" 404 206 "-" "Mozilla/
4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
201.228.144.124 - - [16/May/2010:11:54:16 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
207.46.195.224 - - [16/May/2010:04:06:48 +0100] "GET /robots.txt HTTP/1.1" 200 311 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
How are these slipping through? I don't mind the indexing bots (though I am a little surprised to see them get through). I suppose they must be getting through using the ESTABLISHED,RELATED rules. And no, I can't for the life of me remember why the first match state rule is there
So 2 questions: is there a better way to set up iptables to restrict access to specified hosts? How exactly are these 3 examples slipping through?
© Server Fault or respective owner