CentOS - Apr 2020 - Netfilter fails to filter traffic from a netblock?

On Sun, Apr 19, 2020 at 9:26 AM Anand Buddhdev <anandb at ripe.net>
wrote:
>
> On 19/04/2020 14:58, Jeffrey Walton wrote:
>
> Hi Jeffrey,
>
> > The offending host is 59.64.129.175. To err on the side of caution we
> > attempted to block the entire netblock. According to whois data,
> > that's 59.64.128.0-59.64.159.255.
> >
> >     iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP
> >
> > After reboot cpu usage is still high and access_log still shows
> > useless requests from the host:
>
> Did you actually arrange for your iptables rule to be reinstated at boot?
>
> If you just configure a rule as above, but don't save it, it will
> disappear ar reboot.
Ugh, thanks. I did not realize the changes were only temporary.

What is the recommended way to permanently add a ban rule?

Thanks again.

Thought it might also be helpful to confirm that firewalld is not
interfering in any way.

what is the output of ~$# systemctl status firewalld


On Sun, Apr 19, 2020 at 9:30 AM Jeffrey Walton <noloader at gmail.com>
wrote:
>
> On Sun, Apr 19, 2020 at 9:26 AM Anand Buddhdev <anandb at ripe.net>
wrote:
> >
> > On 19/04/2020 14:58, Jeffrey Walton wrote:
> >
> > Hi Jeffrey,
> >
> > > The offending host is 59.64.129.175. To err on the side of
caution we
> > > attempted to block the entire netblock. According to whois data,
> > > that's 59.64.128.0-59.64.159.255.
> > >
> > >     iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP
> > >
> > > After reboot cpu usage is still high and access_log still shows
> > > useless requests from the host:
> >
> > Did you actually arrange for your iptables rule to be reinstated at
boot?
> >
> > If you just configure a rule as above, but don't save it, it will
> > disappear ar reboot.
>
> Ugh, thanks. I did not realize the changes were only temporary.
>
> What is the recommended way to permanently add a ban rule?
>
> Thanks again.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

On Sun, Apr 19, 2020 at 9:40 AM Mike <1100100 at gmail.com>
wrote:
>
> Thought it might also be helpful to confirm that firewalld is not
> interfering in any way.
>
> what is the output of ~$# systemctl status firewalld
Thanks Mike.

    # systemctl status firewalld
    Unit firewalld.service could not be found.

Jeff

On 19/04/2020 15:30, Jeffrey Walton wrote:
> Ugh, thanks. I did not realize the changes were only temporary.
> 
> What is the recommended way to permanently add a ban rule?
On CentOS 7, the default firewall is "firewalld", and you can
configure
it with "firewall-cmd". You can use it to add temporary or permanent
rules. You can read the man page of that to learn how to view, add,
modify or delete rules.

Personally though, I find firewalld to be cumbersome, so I remove it
completely, and installed instead "iptables-services".

yum erase firewalld
yum install iptables-services

Then, after adding your iptables rule(s), run:

iptables-save > /etc/sysconfig/iptables
ip6tables-save > /etc/sysconfig/ip6tables

They'll be applied at boot.

Regards,
Anand

On Sun, Apr 19, 2020 at 9:45 AM Anand Buddhdev <anandb at ripe.net>
wrote:
>
> Personally though, I find firewalld to be cumbersome, so I remove it
> completely, and installed instead "iptables-services".
>
Ya, i agonized over accepting firewalld.
I'm a smalltime manager who wears many hats and doesn't have alot of
time to practice sysadmin skills.
It took me about 5 years to get confident with iptables and go from
fresh install to company firewall in one sitting.
Now that I've adopted firewalld which has a wider variety of
command/rule statements, I am constantly hitting "man firewall-cmd"
and cannot competently recall iptables in any comprehensible way; it's
like mixing Japanese and English whenever I try to communicate with a
centos box firewall, heh.

--On Sunday, April 19, 2020 10:30 AM -0400 Jeffrey Walton 
<noloader at gmail.com> wrote:
> Ugh, thanks. I did not realize the changes were only temporary.
>
> What is the recommended way to permanently add a ban rule?
service iptables save

That runs the initscript that knows how to save the running firewall to 
/etc/sysconfig.