Results 1 to 7 of 7
I'm a beginner to iptables but I would like to know if all these drops are normals ?
Some people from countries can not access to my web site !
...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 07-10-2010 #1Just Joined!
- Join Date
- Jul 2010
- Posts
- 3
iptables to many drops !
I'm a beginner to iptables but I would like to know if all these drops are normals ?
Some people from countries can not access to my web site !
Thanks for your help...Code:# iptables -vnL INPUT pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 1.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 2.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 5.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 23.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 27.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 31.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 36.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 37.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 39.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 42.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 46.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 94.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 95.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 100.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 101.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 102.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 103.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 104.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 105.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 106.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 107.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 108.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 110.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 111.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 112.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 113.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 114.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 115.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 173.0.0.0/8 0.0.0.0/0 2 96 DROP all -- * * 174.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 175.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 176.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 177.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 178.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 179.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 180.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 181.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 182.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 183.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 184.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 185.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 186.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 187.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 197.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 223.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 240.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 241.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 242.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 243.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 244.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 245.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 246.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 247.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 248.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 249.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 250.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 251.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 252.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 253.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 254.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 255.0.0.0/8 0.0.0.0/0
- 07-14-2010 #2Just Joined!
- Join Date
- Jul 2010
- Posts
- 53
no that does not look normal
if you don't know iptables - maybe it would be simpler to use the tcp_wrapper features and /etc/hosts.allow /etc/hosts.deny
if only access you want to control is to your website - then the authorization controls for your web server should be enough?
- 07-14-2010 #3Linux Engineer
- Join Date
- Oct 2005
- Location
- Italy
- Posts
- 773
this is pretty odd. this machine would block packets almost from all existing ip addresses except few subnets like the 224.*.*.* or 225.*.*.* ... anyhow not what a server should do unless you are in china.
seriously, if you didn't set these things or took the server administration over from another one, consider to check for rootkits and if it is hard, consider to flush and re-install the machine. this looks REALLY suspicious, even if it may be perfectly wanted behaviour that we due to lack of information can't comprehend.
- 07-14-2010 #4Just Joined!
- Join Date
- Jul 2010
- Posts
- 3
Thanks for your reply
I deleted few lines e.g
But each time I start APF with /usr/local/sbin/apf -s these lines come back !!!Code:iptables -D INPUT 2 iptables -D INPUT 3 iptables -D INPUT 4 iptables -D INPUT 5 ...
So I went to internals/.apf.restore and I found
How can I delete forever these lines from APF restore ?Code:-A INPUT -s 1.0.0.0/255.0.0.0 -j DROP -A INPUT -s 2.0.0.0/255.0.0.0 -j DROP -A INPUT -s 5.0.0.0/255.0.0.0 -j DROP -A INPUT -s 23.0.0.0/255.0.0.0 -j DROP ... -A OUTPUT -d 1.0.0.0/255.0.0.0 -j DROP -A OUTPUT -d 2.0.0.0/255.0.0.0 -j DROP -A OUTPUT -d 5.0.0.0/255.0.0.0 -j DROP -A OUTPUT -d 23.0.0.0/255.0.0.0 -j DROP ...
Thanks for your help...
- 07-14-2010 #5Linux Engineer
- Join Date
- Oct 2005
- Location
- Italy
- Posts
- 773
nice, you figured out the source of misconfiguration. next step is to configure the thingy properly. the configuration file should be there:
look up the man pages and web resources how to configure it.Code:/etc/apf/conf.apf
- 07-14-2010 #6Just Joined!
- Join Date
- Jul 2010
- Posts
- 3
Thanks...
Originally Posted by Kloschüssel 
Can I send to you my conf.apf to see if you find anything strange ?
I'm a very beginner with this and I don't understand all the rules
- 07-14-2010 #7Linux Engineer
- Join Date
- Oct 2005
- Location
- Italy
- Posts
- 773
If you can pay the bill.
Seriously: I'm busy for the next 36 hours. No can do until then. Maybe later, but can't promise that. You may learn something on your own.
It's fun and makes you wiser!
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
