1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Bizarre... IP blocking with IPtables doesn't work for me

Discussion in 'Security' started by Jeffr2014, Apr 11, 2015.

0
  1. #1
    I was blocking some spam bots using iptables but noticed this morning that requests from blocked IPs still get through and served 200OK response (rather than 403 that I'd expect). For example, this morning I got many GET requests from these IPs:
    37.187.162.126
    37.187.162.165
    37.187.162.178
    37.187.162.186
    37.187.162.187
    37.187.162.193
    37.187.165.195
    37.187.165.31
    37.187.165.37
    37.187.167.30
    37.187.167.33
    37.59.18.190
    37.59.19.32

    and they all resulted in HTTP 200 or 301 even though I have these 2 records in iptables:
    DROP all -- 37.187.160.0/21 anywhere
    DROP all -- 37.59.18.0/23 anywhere

    I am totally puzzled... Any ideas?
     
    Jeffr2014, Apr 11, 2015 IP
  2. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #2
    I'm a little unsure if the rules you've added are correct - I'm not that familiar with iptables, but I'm just wondering if the /21 will work with the .160.0 bit, and likewise the .18.0/23 - If I'm not mistaken, you have to block the whole octet (ie, have the number at .0 and then match with subnet-mask) - that might be completely wrong, of course.
    Ie, to block the ip-ranges .160.0 to .162.0 you'd have to have three rules with .160.0/24, .161.0/24 and .162.0/24 - but again, I dunno if that is correct.
     
    PoPSiCLe, Apr 11, 2015 IP
  3. Jeffr2014

    Jeffr2014 Active Member

    Messages:
    254
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    55
    #3
    No, it's supposed to work, /21 blocks 8 C-classes 37.187.160.* to .167.* and /23 blocks 2 C-classes 37.59.18.* and 37.59.19.* (See http://www.oav.net/mirrors/cidr.html)

    One thing I realized is that I didn't restart the server after changing the iptables yesterday morning... may be that is the reason...? I am not sure whether Apache is smart enough to detect changes in the file and load it in memory... though may be this is intentional, the changes to config files aren't frequent so it may be better for performance reasons to load these on startup only. Will try to restart tonight and see if it helps.
     
    Jeffr2014, Apr 11, 2015 IP
  4. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #4
    Apache has to be restarted after every change for it to take an effect - the config is only parsed at startup - I assume the same goes for any changes to third-party systems as well, that are used by Apache?
     
    PoPSiCLe, Apr 11, 2015 IP
  5. kimix

    kimix Member

    Messages:
    46
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    41
    #5
    There is no need to restart the server. Just restart IPtables will do the job.
     
    kimix, Apr 17, 2015 IP