IPtables blacklist- should it be inserted at the TOP of the INPUT chain?

[Deleted member 27741]

I have been annoyed by the U of Mich grad students poking at my router. So I added a couple drop rules to iptables (with script firewall-start) like so-

iptables -A INPUT -i br0 -s 141.212.121.0/24 -j DROP
iptables -A INPUT -i br0 -s 141.212.122.0/24 -j DROP

This did not work. I think this is because I am incorrectly using iptables. Blacklist rules need to go at the top, am I correct? Or else they will be let through by the same rule that let them in before and your nifty blacklist rules at the bottom of iptables will not ever get used? I changed the rules to-

iptables -I INPUT 1 -i br0 -s 141.212.121.0/24 -j DROP
iptables -I INPUT 1 -i br0 -s 141.212.122.0/24 -j DROP

Will these work? I will eventually be upgrading to an ipsets solution- should the rule that calls the ipset files be put at the top of the INPUT chain as well if it contains a blacklist?

 

[ColinTaylor]

????? So the students are already connected to your LAN (-i br0) and the LAN network is 141.212.xxx.yyy ???

Seems unlikely.

 

[Deleted member 27741]

Wait. Of course I wanted WAN (for some reason I thought br0 would catch WAN as well)! What is N66U WAN if you happen to know off hand?

 

[ColinTaylor]

I think you're after something like this:

iptables -I INPUT -s 42.120.128.0/17 -j logdrop

No need to specify an interface but if you want to it's eth0.

 

[Deleted member 27741]

Thanks you kind sir. Log drop logs it in syslog and drops it, I presume!

iptables -I INPUT 1 -i eth0 -s 141.212.122.0/24 -j logdrop

So, forgetting about my borked rules- should blacklist iptables rules go at the top or does that not matter?

 

[ColinTaylor]

Thanks you kind sir. Log drop logs it in syslog and drops it, I presume!

Correct

should blacklist iptables rules go at the top or does that not matter?

Yes, it must go at the top/start/head of the chain.

BTW "-I INPUT 1" is the same as "-I INPUT".

http://ipset.netfilter.org/iptables.man.html

 

[Deleted member 27741]

Is there a way to rebuild the iptables rules while logged on? The only way I know how to reset the tables is to reboot and I have vpn users connected a lot so rebooting pisses them off.

 

[ColinTaylor]

Is there a way to rebuild the iptables rules while logged on? The only way I know how to reset the tables is to reboot and I have vpn users connected a lot so rebooting pisses them off.

Probably, but I don't know how.

If it's just a few rules you can add and remove them individually from the command line. i.e. if you had added the following rule:

iptables -A INPUT -i br0 -s 141.212.121.0/24 -j DROP

You can delete it with:

iptables -D INPUT -i br0 -s 141.212.121.0/24 -j DROP

Type "iptables-save" to see all the current rules.

 

[john9527]

Is there a way to rebuild the iptables rules while logged on?

Try
service restart_firewall

 

[Deleted member 27741]

I can't get my rules at the top. When I enter the command by way of firewall-start

iptables -I INPUT 1 -i eth0 -s 141.212.122.0/24 -j logdrop

the rule ends up as the FIFTH rule in the chain. Do I need to wait for a while before adding the rule or something?

 

[Deleted member 27741]

Ok. So I think I know what is going on here? Shortly after booting (like within 30 seconds), the rules are on top-

1 0 0 logdrop all -- eth0 any 141.212.122.0/24 anywhere
2 0 0 logdrop all -- eth0 any 141.212.121.0/24 anywhere
3 0 0 DROP udp -- any any anywhere anywhere udp dpt:9999

But after a bit of time, the rules get bumped down, like so-
1 0 0 ACCEPT all -- tap22 any anywhere anywhere
2 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:www
3 0 0 ACCEPT all -- tap21 any anywhere anywhere
4 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
5 0 0 logdrop all -- eth0 any 141.212.122.0/24 anywhere
6 0 0 logdrop all -- eth0 any 141.212.121.0/24 anywhere
7 3 1620 DROP udp -- any any anywhere anywhere udp dpt:9999

I am assuming the rules get inserted in at the top when the vpn servers start? Should that be happening sooner in boot if the servers are on or is that not possible?

 

[Deleted member 27741]

Yeah, so I have a 60 second sleep command in my firewall-start to get my blacklist rules at the top. I could probably cut it a bit shorter but I prefer to give the router time to bring up both openvpn servers and apparently that takes awhile!

I am a bit surprised at this behavior. Considering how iptables works (blacklists being best at the very top) would it not be better to append rules of this sort to the INPUT chain instead of inserting them at the top?

Also something I did not realize, if you disable an openvpn server and re-enable it the rules are again placed at the very top of the chain.

****Edit****
Well, now I see why append is a bad idea. Added rules end up at the bottom of the list after the drop all. That won't work!