I was blocking some spam bots using iptables but noticed this morning that requests from blocked IPs still get through and served 200OK response (rather than 403 that I'd expect). For example, this morning I got many GET requests from these IPs: 37.187.162.126 37.187.162.165 37.187.162.178 37.187.162.186 37.187.162.187 37.187.162.193 37.187.165.195 37.187.165.31 37.187.165.37 37.187.167.30 37.187.167.33 37.59.18.190 37.59.19.32 and they all resulted in HTTP 200 or 301 even though I have these 2 records in iptables: DROP all -- 37.187.160.0/21 anywhere DROP all -- 37.59.18.0/23 anywhere I am totally puzzled... Any ideas?
I'm a little unsure if the rules you've added are correct - I'm not that familiar with iptables, but I'm just wondering if the /21 will work with the .160.0 bit, and likewise the .18.0/23 - If I'm not mistaken, you have to block the whole octet (ie, have the number at .0 and then match with subnet-mask) - that might be completely wrong, of course. Ie, to block the ip-ranges .160.0 to .162.0 you'd have to have three rules with .160.0/24, .161.0/24 and .162.0/24 - but again, I dunno if that is correct.
No, it's supposed to work, /21 blocks 8 C-classes 37.187.160.* to .167.* and /23 blocks 2 C-classes 37.59.18.* and 37.59.19.* (See http://www.oav.net/mirrors/cidr.html) One thing I realized is that I didn't restart the server after changing the iptables yesterday morning... may be that is the reason...? I am not sure whether Apache is smart enough to detect changes in the file and load it in memory... though may be this is intentional, the changes to config files aren't frequent so it may be better for performance reasons to load these on startup only. Will try to restart tonight and see if it helps.
Apache has to be restarted after every change for it to take an effect - the config is only parsed at startup - I assume the same goes for any changes to third-party systems as well, that are used by Apache?