# iptables rules with no effect

## eXtIO

Hi

Currently we are on a strange problem: We like to reject all connections to the port 51234 on a box:

```
h619600 init.d # iptables -A INPUT -p tcp -i eth0 -s 0.0.0.0/0 --dport 51234 -j REJECT

h619600 init.d # iptables -L -v

Chain INPUT (policy ACCEPT 39M packets, 6132M bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 REJECT     tcp  --  eth0   any     anywhere             anywhere            tcp

dpt:51234 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 71M packets, 17G bytes)

 pkts bytes target     prot opt in     out     source               destination

```

On the first sight this should work. But it doesn't:

```
sb@arcadis ~ $ telnet supertaxi.org 51234

Trying 81.169.130.65...

Connected to supertaxi.org.

Escape character is '^]'.

[TS]

```

It seems that the kernel netfilter doesn't work, but we cannot find any issue. Here are some more informations about the system:

```
h619600 init.d # emerge --info

Portage 2.1.2.7 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.5-r2, 2.6.20-gentoo-r8 i686)

=================================================================

System uname: 2.6.20-gentoo-r8 i686 AMD Sempron(tm)   2200+

Gentoo Base System release 1.12.9

Timestamp of tree: Sat, 09 Jun 2007 10:20:01 +0000

dev-java/java-config: 1.3.7, 2.0.31-r5

dev-lang/python:     2.4.4-r4

dev-python/pycrypto: 2.0.1-r5

sys-apps/sandbox:    1.2.17

sys-devel/binutils:  2.16.1-r3

sys-devel/gcc-config: 1.3.16

sys-devel/libtool:   1.5.22

virtual/os-headers:  2.6.17-r2

ACCEPT_KEYWORDS="x86"

ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370

 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx

 via82xx-modem ymfpci"

ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 io

plug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol"

ARCH="x86"

AUTOCLEAN="yes"

BOOTLEVEL="boot"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-march=athlon-xp -O3 -fomit-frame-pointer -ftracer -pipe"

CHOST="i686-pc-linux-gnu"

CLASSPATH="."

CLEAN_DELAY="5"

COLORTERM="Terminal"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/a

pache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/rev

CONSOLE="/dev/console"

CONSOLETYPE="vt"

CRITICAL_SERVICES="checkroot modules checkfs localmount clock bootmisc"

CVS_RSH="ssh"

CXXFLAGS="-march=athlon-xp -O3 -fomit-frame-pointer -ftracer -pipe"

DEFAULTLEVEL="default"

DISPLAY=":1.0"

DISTDIR="/usr/portage/distfiles"

EDITOR="/bin/nano"

ELIBC="glibc"

EMERGE_DEFAULT_OPTS="--ask --verbose"

INIT_VERSION="sysvinit-2.86"

INPUT_DEVICES="keyboard mouse evdev"

JDK_HOME="/etc/java-config-2/current-system-vm"

KERNEL="linux"

LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"

LESS="-R -M --shift 5"

LOGNAME="root"

LS_COLORS="no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:

;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;

31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=

01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.

gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;3

5:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpe

g=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35

:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01

;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.pdf=00;32:*.ps=0

0;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:

*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=0

0;36:*.ra=00;36:*.wav=00;36:"

MAKEOPTS="-j2"

MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686-pc-linux-gnu/2.16

.1/man:/usr/share/gcc-data/i686-pc-linux-gnu/4.1.2/man:/etc/java-config/system-vm/man/:/usr/

OLDSOFTLEVEL="boot"

PAGER="/usr/bin/less"

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-lin

ux-gnu/gcc-bin/4.1.2:/opt/vmware/workstation/bin"

PKGDIR="/usr/portage/packages"

PORTAGE_ARCHLIST="ppc s390 amd64 x86 ppc64 x86-fbsd m68k arm sparc sh mips ia64 alpha ppc-ma

cos hppa sparc-fbsd"

PORTAGE_BINHOST_CHUNKSIZE="3000"

PORTAGE_BIN_PATH="/usr/lib/portage/bin"

PORTAGE_CONFIGROOT="/"

PORTAGE_DEBUG="0"

PORTAGE_DEPCACHEDIR="/var/cache/edb/dep"

PORTAGE_ELOG_CLASSES="warn error log"

PORTAGE_ELOG_MAILFROM="portage"

PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}"

PORTAGE_ELOG_MAILURI="root"

PORTAGE_GID="250"

PORTAGE_INST_GID="0"

PORTAGE_INST_UID="0"

PORTAGE_PYM_PATH="/usr/lib/portage/pym"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --wh

ole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local

 --exclude=/packages --filter=H_**/files/digest-*"

PORTAGE_RSYNC_RETRIES="3"

PORTAGE_TMPDIR="/var/tmp"

PORTAGE_WORKDIR_MODE="0700"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage"

PREVLEVEL="N"

PWD="/etc/init.d"

PYTHONPATH="/usr/lib/portage/pym"

RESUMECOMMAND="/usr/bin/wget -c -t 5 -T 60 --passive-ftp -P ${DISTDIR} ${URI}"

ROOT="/"

ROOTPATH="/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.1.2:/opt/vmware/workstation/bin"

RPMDIR="/usr/portage/rpm"

RUNLEVEL="3"

SESSION_MANAGER="local/h619600:/tmp/.ICE-unix/5478"

SHELL="/bin/bash"

SHLVL="8"

SOFTLEVEL="default"

STAGE1_USE="nptl nptlonly unicode"

STY="5541.pts-0.h619600"

SVCNAME="vnc"

SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"

TERM="screen"

TERMCAP="SC|screen|VT 100/ANSI X3.64 virtual terminal:\

        :DO=\E[%dB:LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:bs:bt=\E[Z:\

        :ac=\140\140aaffggjjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~..--++,,hhII00:\

        :po=\E[5i:pf=\E[4i:Z0=\E[?3h:Z1=\E[?3l:k0=\E[10~:\

        :k1=\EOP:k2=\EOQ:k3=\EOR:k4=\EOS:k5=\E[15~:k6=\E[17~:\

        :F7=\E[15;2~:F8=\E[17;2~:F9=\E[18;2~:FA=\E[19;2~:kb=^H:\

        :K2=\EOE:kB=\E[Z:kF=\E[1;2B:kR=\E[1;2A:*4=\E[3;2~:\

        :*7=\E[1;2F:#2=\E[1;2H:#3=\E[2;2~:#4=\E[1;2D:%c=\E[6;2~:\

        :kd=\EOB:kr=\EOC:kl=\EOD:km:"

USE="3dnow 3dnowext acl apache2 berkdb bitmap-fonts bzip2 cli cracklib crypt dri fortran gdb

m gpm iconv ipv6 isdnlog libg++ midi mmx mmxext mudflap mysql ncurses nls nptl nptlonly open

mp pam pcre perl php png pppd python readline reflection server session snmp spl sse ssl tcp

d truetype-fonts type1-fonts unicode x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiix

p-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel i

ntel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS=

"adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloa

t linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVIC

ES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb

216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dumm

y fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3vir

ge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"

USER="root"

USERLAND="GNU"

USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS CAMERAS CROSSCOMPILE_OPTS DVB_CARDS ELIBC FCDSL_CARD

S FOO2ZJS_DEVICES FRITZCAPI_CARDS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISD

N_CARDS USERLAND VIDEO_CARDS"

USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND"

USE_ORDER="env:pkg:conf:defaults:pkginternal"

VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga ne

omagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trid

ent tseng v4l vesa vga via vmware voodoo"

VNCDESKTOP="X"

WINDOW="0"

WINDOWID="33554485"

XARGS="xargs -r"

XAUTHORITY="/root/.xauthCkO1MY"

_="/usr/bin/emerge"

                     
```

```

h619600 init.d # lsmod

Module                  Size  Used by

vmnet                  27556  15

vmmon                 178924  6

iptable_nat             6468  0

nf_nat                 14828  1 iptable_nat

nf_conntrack_ipv4      12812  2 iptable_nat

nf_conntrack           47816  3 iptable_nat,nf_nat,nf_conntrack_ipv4

ipt_REJECT              3904  1

xt_tcpudp               3392  1

iptable_filter          2752  1

ip_tables              10532  2 iptable_nat,iptable_filter

x_tables               12100  4 iptable_nat,ipt_REJECT,xt_tcpudp,ip_tables

```

```
h619600 init.d # grep "_NF_" /usr/src/linux/.config

CONFIG_NF_CONNTRACK_ENABLED=m

CONFIG_NF_CONNTRACK_SUPPORT=y

# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set

CONFIG_NF_CONNTRACK=m

# CONFIG_NF_CT_ACCT is not set

# CONFIG_NF_CONNTRACK_MARK is not set

# CONFIG_NF_CONNTRACK_EVENTS is not set

# CONFIG_NF_CT_PROTO_SCTP is not set

# CONFIG_NF_CONNTRACK_AMANDA is not set

# CONFIG_NF_CONNTRACK_FTP is not set

# CONFIG_NF_CONNTRACK_H323 is not set

# CONFIG_NF_CONNTRACK_IRC is not set

# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set

# CONFIG_NF_CONNTRACK_PPTP is not set

# CONFIG_NF_CONNTRACK_SIP is not set

# CONFIG_NF_CONNTRACK_TFTP is not set

# CONFIG_NF_CT_NETLINK is not set

CONFIG_NF_CONNTRACK_IPV4=m

CONFIG_NF_CONNTRACK_PROC_COMPAT=y

CONFIG_IP_NF_QUEUE=y

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_MATCH_IPRANGE=m

# CONFIG_IP_NF_MATCH_TOS is not set

# CONFIG_IP_NF_MATCH_RECENT is not set

# CONFIG_IP_NF_MATCH_ECN is not set

# CONFIG_IP_NF_MATCH_AH is not set

# CONFIG_IP_NF_MATCH_TTL is not set

# CONFIG_IP_NF_MATCH_OWNER is not set

CONFIG_IP_NF_MATCH_ADDRTYPE=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

# CONFIG_IP_NF_TARGET_LOG is not set

# CONFIG_IP_NF_TARGET_ULOG is not set

# CONFIG_IP_NF_TARGET_TCPMSS is not set

CONFIG_NF_NAT=m

CONFIG_NF_NAT_NEEDED=y

# CONFIG_IP_NF_TARGET_MASQUERADE is not set

# CONFIG_IP_NF_TARGET_REDIRECT is not set

# CONFIG_IP_NF_TARGET_NETMAP is not set

# CONFIG_IP_NF_TARGET_SAME is not set

# CONFIG_NF_NAT_SNMP_BASIC is not set

# CONFIG_NF_NAT_FTP is not set

# CONFIG_NF_NAT_IRC is not set

# CONFIG_NF_NAT_TFTP is not set

# CONFIG_NF_NAT_AMANDA is not set

# CONFIG_NF_NAT_PPTP is not set

# CONFIG_NF_NAT_H323 is not set

# CONFIG_NF_NAT_SIP is not set

# CONFIG_IP_NF_MANGLE is not set

# CONFIG_IP_NF_RAW is not set

# CONFIG_IP_NF_ARPTABLES is not set

h619600 init.d # grep "NETFILTER" /usr/src/linux/.config

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

CONFIG_NETFILTER_NETLINK=m

# CONFIG_NETFILTER_NETLINK_QUEUE is not set

# CONFIG_NETFILTER_NETLINK_LOG is not set

CONFIG_NETFILTER_XTABLES=m

# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set

# CONFIG_NETFILTER_XT_TARGET_MARK is not set

# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set

# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set

# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set

# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set

# CONFIG_NETFILTER_XT_MATCH_DCCP is not set

# CONFIG_NETFILTER_XT_MATCH_DSCP is not set

# CONFIG_NETFILTER_XT_MATCH_ESP is not set

# CONFIG_NETFILTER_XT_MATCH_HELPER is not set

# CONFIG_NETFILTER_XT_MATCH_LENGTH is not set

# CONFIG_NETFILTER_XT_MATCH_LIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_MAC is not set

# CONFIG_NETFILTER_XT_MATCH_MARK is not set

# CONFIG_NETFILTER_XT_MATCH_POLICY is not set

# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set

# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set

# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set

# CONFIG_NETFILTER_XT_MATCH_REALM is not set

# CONFIG_NETFILTER_XT_MATCH_SCTP is not set

# CONFIG_NETFILTER_XT_MATCH_STATE is not set

# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set

# CONFIG_NETFILTER_XT_MATCH_STRING is not set

# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set

# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set

```

----------

## didymos

Personally, I'd recommend you REJECT everything by default, and only allow what you specifically want. Usually you just allow established and related connections, and if you need to, open up specific ports.

----------

## Hu

Traffic from the local machine always comes in interface lo, even if you connect to the public IP.  Try your test again from a different machine.

----------

## eXtIO

As you see on the hostname, the connection attemp occured from a remote machine. Our real setup (what we like to have) looks something different, but this example is easier to understand and shows the main problem that the iptables rule definition has no effect.

----------

## Hu

From the hostname, it appears that the telnet connection was most likely looping back to the same machine:

 *eXtIO wrote:*   

> 
> 
> ```
> 
> sb@arcadis ~ $ telnet supertaxi.org 51234
> ...

 

```
/home/Hu> host arcadis.supertaxi.org

arcadis.supertaxi.org has address 81.169.130.65

```

If I am correct that the arcadis in your prompt is the same as arcadis.supertaxi.org, then arcadis would have registered that connection as coming in on lo.  Is arcadis running the same iptables configuration as h619600?  If not, why are you having arcadis connect to itself instead of to h619600?  If they are the same configuration, then you need to amend your rule or switch your test so that arcadis is connecting to h619600.

----------

## eXtIO

Hi

supertaxi.org == h619600 == 81.169.130.65

arcadis is my own local machine and has nothing to do with h619600 (which is a dedicated root server).

A little while ago we deactivated the port 51234 on h619600 by reconfiguring the corresponding daemon because the open port is a security risk. But we depend on a firewall driven solution.

----------

## coolsnowmen

putting aside the complications of the loopback interface, I'ld like to recommend useing the latest fwbuilder for these rules as they can get complicated fast.

Especially for simple set ups like "we only want to allow ssh/samba/cups in."

Unless you need ultra efficient rules, try the tool.

----------

## eXtIO

But our problem is not a misconfiguration. The iptables command we've used to block the port works on several other machines, except this one.

----------

## didymos

OK, then it's probably not an Iptables misconfiguration.  What other INPUT rules are you using, or have you flushed them until you figure this out?

----------

## nbensa

Try:

```

iptables -I INPUT 1 -p tcp -i eth0 -d 81.169.130.65 - j REJECT

```

I'm assuming eth0 _is_ the NIC connected to internet. I would try DROP too.

----------

## eXtIO

Using "iptables -I INPUT 1 -p tcp -i eth0 -d 81.169.130.65 -j REJECT" to drop everything worked. But now this problem will become even more strange  :Smile:  ... Why is it possible to reject all pakets, but not only a specific destination port? REJECT didn't worked just as well DROP or REJECT with "--reject-with tcp-reset"

----------

## nbensa

Oops. I'm sorry, I forgot --dport... Have you tried this one:

```
iptables -I INPUT 1 -p tcp -i eth0 --dport 51234 -j REJECT
```

or:

```
iptables -I INPUT 1 -p tcp -i eth0 -d 81.169.130.65 --dport 51234 -j REJECT
```

----------

## eXtIO

No, this doesn't work.

For example:

```
h619600 ~ # iptables -I INPUT 1 -p tcp -i eth0 -d 81.169.130.65 --dport 51234 -j REJECT

h619600 ~ # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

REJECT     tcp  --  anywhere             supertaxi.org       tcp dpt:51234 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

But it's still possible to connect to the port from my local machine  :Sad:  Yes i know, this couldn't be.....

----------

## nbensa

What do you mean with "can't connect with my local machine?" 

Are you testing this rule on the same box? If so, you need this one too:

```
iptables -I INPUT 1 -p tcp -i lo --dport 51234 -j REJECT
```

----------

## eXtIO

No...

h619600 == a dedicated root server

arcadis == my local machine == where i sit in front of at home

Sorry but i'm not a native english speaker  :Smile: 

----------

## nbensa

Can you post output of:

```
iptables-save

ifconfig -a

```

Other thing you can try is:

```

iptables -I INPUT 1 -p tcp -i eth0 --dport 51234 -j LOG --log-prefix "POST-REJECT"

iptables -I INPUT 1 -p tcp -i eth0 --dport 51234 -j REJECT

iptables -I INPUT 1 -p tcp -i eth0 --dport 51234 -j LOG --log-prefix "PRE-REJECT"

```

Try telnet to that port and then take a look at dmesg. Post the output if you want...

 *Quote:*   

> Sorry but i'm not a native english speaker

 

Don't worry. Neither I am...  :Smile: 

----------

