iptables asleep at the wheel

[menthol]

My Current Plesk Server Specs:

Plesk version: psa v8.3.0_build83080131.20 os_FedoraCore 6
Operating system: Linux 2.6.22.2-42.fc6
System Memory: 475.8 MB of 1002.6 MB used; 526.8 MB available
System Uptime: 107 day(s) 11:09

The iptable Rule in Question:

/sbin/iptables -A INPUT -p tcp --dport 25 -s 122.141.0.0/16 -j DROP

An Email Header Received Only Moments Ago:

Received: (qmail 14060 invoked from network); 6 May 2008 22:23:03 -0500
Received: from unknown (HELO feed-blast.net) (122.141.74.3)

Obvious Information Concerning 122.141.74.3:

% [whois.apnic.net node-1]

inetnum: 122.136.0.0 - 122.143.255.255
netname: CNCGROUP-JL
descr: CNCGROUP Jilin province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN

Additional Information:

* Point: I have collected a current total of 1317 iptable DROP rules.
* Counter-Point: Many of the 1317 iptable DROP rules I have entered are working.

I am running SPF and DNSBL (sbl.spamhaus.org + xbl.spamhaus.org because zen.spamhaus.org enables policies that do not allow me to use email with my PDA phone) so if iptables was doing its job, I could be enjoying even less spam than ever--currently down to less than 20 per day as opposed to the usual 50 to 100 per 24 hour period.

Where is the major mal-function?

 

[figjam]

It depends where you're running your firewall from. Should the rule be in the FORWARD table instead of INPUT?

 

[atomicturtle]

Short Version do this instead:
/sbin/iptables -I INPUT -p tcp --dport 25 -s 122.141.0.0/16 -j DROP

This means "Insert at the Top" vs. -A which means "Add to the bottom". If that works then I suspect your problem is that you have an ACCEPT condition occurring before your drop, and so the drop rule will never get applied.


You would only apply rules like this against a FORWARD table if you were routing traffic for other hosts, and wanted to control what traffic would be accepted/denied for those systems.

 

[menthol]

Thank you for the quick replies and suggestions, but I should clarify that I am using the Plesk Firewall GUI to enter these rules so you must know the limitations as well as the automatic rules added by the Plesk Firewall module.

I have full access to the dedicated server so I can attempt to edit the /usr/local/psa/var/modules/firewall/firewall-active.sh script and restart the service to see how the alterations pan out for a day. I am bound to get email from at least one of these IPs that seem to be breaking through the firewall today.

I cannot help but believe that either: a. I have too many rules (again, currently 1317 DROP rules along with the list of automatic rules added by Plesk) or b. something is seriously wrong with iptables or c. these particular spammers are concocting some sort of black magic to bust through.

 

[atomicturtle]

1300 rules is nothing, I've run just under 100,000 before and Im sure I could go way past that.

There is no magic evasion technique going on behind the scenes here, you've just got an order problem, or some specific allow rule occurring ahead of of your drop rule.

 

[menthol]

Nice, good to know that I have plenty of room to break down my broad strokes even further--I have resorted to bitmasks of /8 on some seriously offensive networks. ie. 189/8 LACNIC Brazil, Carribean, Uruguay etc.

I felt that the generic nature of the Plesk 8.3 Firewall Module would be well known, but I will post my current configuration less my DROP block. Looks like I may be abandoning the Plesk firewall GUI and editing direct from now on if I need -I over -A on each one of my DROP rules?

-- INIT / START

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT

-- MY DROP BLOCK

/sbin/iptables -A INPUT -p tcp --dport 25 -s 24.24.200.0/24 -j DROP

1300+ various other DROP rules...

/sbin/iptables -A INPUT -p tcp --dport 25 -s 222.215.0.0/16 -j DROP

-- PERSONAL RULES

/sbin/iptables -A INPUT -p tcp --dport 27015 -j ACCEPT // HL2 Game Server

/sbin/iptables -A INPUT -p tcp --dport 10000 -s MY_PRIVATE_IP -j ACCEPT // Webmin
/sbin/iptables -A INPUT -p udp --dport 10000 -s MY_PRIVATE_IP -j ACCEPT // Webmin

-- PLESK'S AUTOMATIC RULES

/sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 9008 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 9080 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
/sbin/iptables -A INPUT -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/iptables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active

-- END

 

[menthol]

I have been paying close attention to iptables and noted a major, overall change to my rules this morning. I was thinking I had not gone mad.

It would seem that during Plesk nightly maintenance (cron.daily) that iptables is restarted and a huge number of very odd chains have shown up. In researching this, I found a chain named DSHIELD which led to me work out that APF and DSHIELD are being running nightly and completely flushing and restarting iptables.

I assume this is not a part of Plesk 8.3 but has been installed by my hosting company. If so, my apologies and thanks for the help nevertheless.

 

[atomicturtle]

Yep, that will do it all right.