Jeffrey Walton
2020-Apr-19 13:30 UTC
[CentOS] Netfilter fails to filter traffic from a netblock?
On Sun, Apr 19, 2020 at 9:26 AM Anand Buddhdev <anandb at ripe.net> wrote:> > On 19/04/2020 14:58, Jeffrey Walton wrote: > > Hi Jeffrey, > > > The offending host is 59.64.129.175. To err on the side of caution we > > attempted to block the entire netblock. According to whois data, > > that's 59.64.128.0-59.64.159.255. > > > > iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP > > > > After reboot cpu usage is still high and access_log still shows > > useless requests from the host: > > Did you actually arrange for your iptables rule to be reinstated at boot? > > If you just configure a rule as above, but don't save it, it will > disappear ar reboot.Ugh, thanks. I did not realize the changes were only temporary. What is the recommended way to permanently add a ban rule? Thanks again.
Thought it might also be helpful to confirm that firewalld is not interfering in any way. what is the output of ~$# systemctl status firewalld On Sun, Apr 19, 2020 at 9:30 AM Jeffrey Walton <noloader at gmail.com> wrote:> > On Sun, Apr 19, 2020 at 9:26 AM Anand Buddhdev <anandb at ripe.net> wrote: > > > > On 19/04/2020 14:58, Jeffrey Walton wrote: > > > > Hi Jeffrey, > > > > > The offending host is 59.64.129.175. To err on the side of caution we > > > attempted to block the entire netblock. According to whois data, > > > that's 59.64.128.0-59.64.159.255. > > > > > > iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP > > > > > > After reboot cpu usage is still high and access_log still shows > > > useless requests from the host: > > > > Did you actually arrange for your iptables rule to be reinstated at boot? > > > > If you just configure a rule as above, but don't save it, it will > > disappear ar reboot. > > Ugh, thanks. I did not realize the changes were only temporary. > > What is the recommended way to permanently add a ban rule? > > Thanks again. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
Jeffrey Walton
2020-Apr-19 13:44 UTC
[CentOS] Netfilter fails to filter traffic from a netblock?
On Sun, Apr 19, 2020 at 9:40 AM Mike <1100100 at gmail.com> wrote:> > Thought it might also be helpful to confirm that firewalld is not > interfering in any way. > > what is the output of ~$# systemctl status firewalldThanks Mike. # systemctl status firewalld Unit firewalld.service could not be found. Jeff
Anand Buddhdev
2020-Apr-19 13:44 UTC
[CentOS] Netfilter fails to filter traffic from a netblock?
On 19/04/2020 15:30, Jeffrey Walton wrote:> Ugh, thanks. I did not realize the changes were only temporary. > > What is the recommended way to permanently add a ban rule?On CentOS 7, the default firewall is "firewalld", and you can configure it with "firewall-cmd". You can use it to add temporary or permanent rules. You can read the man page of that to learn how to view, add, modify or delete rules. Personally though, I find firewalld to be cumbersome, so I remove it completely, and installed instead "iptables-services". yum erase firewalld yum install iptables-services Then, after adding your iptables rule(s), run: iptables-save > /etc/sysconfig/iptables ip6tables-save > /etc/sysconfig/ip6tables They'll be applied at boot. Regards, Anand
On Sun, Apr 19, 2020 at 9:45 AM Anand Buddhdev <anandb at ripe.net> wrote:> > Personally though, I find firewalld to be cumbersome, so I remove it > completely, and installed instead "iptables-services". >Ya, i agonized over accepting firewalld. I'm a smalltime manager who wears many hats and doesn't have alot of time to practice sysadmin skills. It took me about 5 years to get confident with iptables and go from fresh install to company firewall in one sitting. Now that I've adopted firewalld which has a wider variety of command/rule statements, I am constantly hitting "man firewall-cmd" and cannot competently recall iptables in any comprehensible way; it's like mixing Japanese and English whenever I try to communicate with a centos box firewall, heh.
Kenneth Porter
2020-Apr-19 16:27 UTC
[CentOS] Netfilter fails to filter traffic from a netblock?
--On Sunday, April 19, 2020 10:30 AM -0400 Jeffrey Walton <noloader at gmail.com> wrote:> Ugh, thanks. I did not realize the changes were only temporary. > > What is the recommended way to permanently add a ban rule?service iptables save That runs the initscript that knows how to save the running firewall to /etc/sysconfig.