iptables not working as expected

So I was trying to block a specific ip address from accessing my server and initially wanted to know if there was a way to do this in YAST with the firewall settings. In the meantime I issued the terminal command (as root) to block one of my internal home machines as a test:

iptables -I INPUT -s 192.168.1.114 -j DROP

Come to find out, the machine with the above IP address can STILL access my server??? Is there something else I need do for this to work?

Thanks in advance.

Please provide more information on your present server setup:

  1. openSUSE Version
  2. 32 or 64 bit
  3. Desktop loaded, if any
  4. Present kernel version
  5. Post the contents of /etc/sysconfig/SuSEfirewall2, using SUSE Paste, set the delete after to never and give us a link to the post.
  6. Anything about your networking setup the server resides in
  7. Make sure to remove any sensitive info from your posts, but otherwise, be complete
  8. If it is a bug of some sort, we will request you post a bug report on the issue

Thank You,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Having the contents of the following will also likely be useful, again,
in SUSE Paste (after implementing your rule):

sudo /usr/sbin/iptables -L

As a note using the following rule worked perfectly on my system when
using a valid IP for my network:

sudo /usr/sbin/iptables -I INPUT -s 192.168.1.114 -j DROP

I tested this by running tcpdump in another window after telling the
blocked machine to ping me constantly. tcpdump picks up packets before
the firewall filters them out from the INPUT table, but you can tell it
is working because the machine doing the blocking no longer responds to
the ICMP packets (pings) so instead of two packets per second (one
coming in and a response going out) you just get the one coming in and
nothing at all until the next one comes in.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPiDWuAAoJEF+XTK08PnB5ycYQAL4xkCaB7Wjjtajf3fqpP+AT
WmtJ5OuTNWQwcyBqnfBkYohM0JOloR0GLxVN1o9LlH7dAb1cls2+MUf4ivFMLElQ
oSw9LefWpaSqX7ik2mrl4F41Goxz+Ra0gXiN1NigBpB0eh++j5XjfHpDfrC9f86H
wMqvSEmWFx7wSJ1HPb5XYUsBW84szzPdI58WBsvB2op1wOGJsFxJf4d9pYMAF1qJ
HRCjuYfx42rOyzJtdQPf7t3i6r21SK1FFB6TBZWXuDLuTfzbH7+21wOgLzot7wat
93PStM1TTP4OjXFn0sAP8JhsjrjFuXq53mdtNCklSO0f6ezlso5OS+sayURfAejF
5yZ9EdlCXYpii7o06EuVd7xDDmAP6oVcxTo8hbAPkFt+OTIqC9IKecatDhqXA+qr
w0dDXSAXstm80259twGVd89G7v506t9Rkyln8sUBL9m9MyujzA/DQonu+H8uTv5O
Ut8wWlbIV9W8Vz9E7+g64TRBg3PbBR2A/eYBUQ2/SJCEm9K/qZJDen8irg62t4Tv
6yNLtjZGGaAKT5LwvMr3pQ4KzfHv7+WMC1yobgFwltUW/tcdI0p+y/shbL237jks
vAbQkS8Gi/stQuYGML09lSYuoo57XBP4HoCN0MfBHqtQrAVeCXJ3haEtk6sNYe5m
Dq/TpGSNlpJqKNzHC3iJ
=JI55
-----END PGP SIGNATURE-----

1 - 11.4
2 - 32 bit
3 - kde
4 - not sure, linux novice
5 - SUSE Paste
6 - simply an experiment running on a typical home network (192.168.1.x with 4 win7 workstations and this server)
7. nothing important on the server, no personal info just a server running a game for my kids. I use the server to learn linux on
8 - no problem, i’ll need instruction on how this is done.

So I’m blocking one of my machines internally 192.168.1.114 but after issueing the command I can still interact with the server, verified in the games log window with the correct IP address x.x.x.114. not sure why. I initially tried adding the address to the hosts.deny but that didn’t work either.
Thanks in advance

as for iptables -L --line-numbers

Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all – anywhere anywhere
2 ACCEPT all – anywhere anywhere ctstate ESTABLISHED
3 ACCEPT icmp – anywhere anywhere ctstate RELATED
4 input_ext all – anywhere anywhere
5 input_ext all – anywhere anywhere
6 input_ext all – anywhere anywhere
7 LOG all – anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ’
8 DROP all – anywhere anywhere
9 DROP all – deleted by catfish but just another ip address here
10 DROP all – 192.168.1.114 anywhere

I’m testing by checking if the machine at 192.168.1.114 can log into the game being hosted on the server

thanks

iptables -n -v -L

is more informative IMHO.

Please use code tags when pasting such output.
http://forums.opensuse.org/english/get-technical-help-here/how-faq-forums/advanced-how-faq-read-only/451526-posting-code-tags-guide.html

Best regards,
Greg

OK, thanks everyone. I figured out why the iptables command wasn’t working. It appears that using the -A option isn’t the best choice as the rule gets Appended to the end of the INPUT table and therefore never gets serviced since prior rules take precedence. I changed the command to iptables -I INPUT 1 -s 192.168.1.114 -j DROP which Inserts the rule first and therefore gets precedence and indeed did the trick. Very cool.

so as a follow up, can I insert this in one of the firewall configs so the rule is persistent through firewall stop/starts?

Thanks in advance

By default any incoming traffic is blocked including this IP so why would You want to do this ? :slight_smile:

Best regards,
Greg

i wanted to block a specific IP address from accessing a game server. This person was block by game permissions but they were continually trying so I was annoyed and wanted to prevent any “view” of my server. Now any attempts are dropped without any acknowledgement.

Is there a better way to do this?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, this is exactly how iptables works, but now I am a bit confused.
Your original example used the ‘-I’, not the ‘-A’. If you were
appending then next time you may want to include the command you’re
using exactly.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPiMIEAAoJEF+XTK08PnB5p5UP/iNb6cpLtMJ3M4UBqpylTxef
Txvz3dJB1LZLqzhwct34XC2efxiesAz8EEP++vGAeKzIsCQOsNjJwUrO6C0Zoi4g
WnKClXcZEBwOt6OPrZzc8MD8K2WENGxcitZ0B7dFvbB9hO4DwemEH+IHCW9bmNuC
ZQ+FtHmCtV9U3TktQGcuChMSxP8PmX/zNK7SLAmOwH3OsQYWXXUrUD168MrE70Ox
3R2T4PvJIMXwjyyiXVkz3BA7sqaaekCWRGIEAT2hLH2plXEKmFHyBwfy2or30SyN
bJXY4D/+p6S2RAsZYU7Impf3MtAOrjPZ78sz4MIxv1VWZv1NBmoZUSGBb7UUTlP7
xbH0zChrTjTGZB/YP28jO8jJwb6chQ+ZfnsHWTcE7YsI+SgEYpIDMoa7dkClLt/y
cRDZEZ9jbj/1Zjp8ut4CpUs8eImpd0MBG+vevXUpA/1js6FsCOadZeYkMkz317Uy
TDVE+oDB4z4EGeMjqk7l1XDB9sEbinMOH6XyNAgnNdY8Dol+dcPD9qIbVD/ztRxO
kfEWHwbGavVQDoSUqSCnchWW4R/VR/Vv4TheJJVgY5jj6Qr49cRPOJyYResBfLsB
9vGqzIcRbA15PqI+0Jr4/bNfwtMS5ga+RAxrjH2F+Xqw2W7C8jliCP1uucRzGkJp
i/csxnDhUMHONvWfwZjQ
=/jHI
-----END PGP SIGNATURE-----

you’re absolutely correct, the command i listed on the initial post was entered wrong, the I should have been an A. I was appending and no inserting the entry as I should have. I happened to be on a Win7 machine at the time of entering the post and wasn’t pasting the actual command. Sorry for the discrepancy as that would definately have delayed anyone being able to assist me. I need to be more careful.

Thanks for pointing that out, I hadn’t noticed.