netfilter buglog - Oct 2013 - [Bug 858] New: Some address cannot be blocked

https://bugzilla.netfilter.org/show_bug.cgi?id=858

           Summary: Some address cannot be blocked
           Product: iptables
           Version: 1.4.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: blocker
          Priority: P1
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: antoine.gutzwiller at neutralite.org
   Estimated Hours: 0.0


I've been attacked during a few hours, and if fail2ban told me the address
has
been banned, the attack was continuing, and I got around 50 fail2ban messages.

iptables - L return :

...
Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
DROP       all  --  88-191-185-62.rev.dedibox.fr  anywhere            
RETURN     all  --  anywhere             anywhere
...

So, I tried to add the address by myself :

iptables -A INPUT -s 88.191.185.62 -j DROP

But I got the same problem : 

iptable -L show that the address has been transformed again from 88.191.185.62
to 88-191-185-62.rev.dedibox.fr (and the attack keep going, the rule doesn't
DROP anything)

Version : 1.4.8 (Debian old-stable)

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=858

--- Comment #1 from Antoine <antoine.gutzwiller at neutralite.org>
2013-10-13 11:58:24 CEST ---
I should say : I am not an expert, so perhaps I just misunderstood something,
and there is no bug at all.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=858

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |netfilter at linuxace.com
         Resolution|                            |INVALID

--- Comment #2 from Phil Oester <netfilter at linuxace.com> 2013-10-13
17:40:47 CEST ---
Once a session is in conntrack, adding DROP rules to INPUT chain will not
disallow traffic from it.  You would need to flush the conntrack session table
first.  

Please ask this question on the netfilter mailing list - there is no bug in
netfilter's ability to block IPs.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.