Created Wed Aug, 28 2019 at 02:38PM

Today I had some issues implementing some iptables rules. So I first flushed all iptables rules (there were a lot from docker, fail2ban etc..). Then added in some test rules, first direct rules with iptables then with ipset.

In all tests below I just try pinging the test IP (9.9.9.9).

deleting all iptables rules

#ipv4
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
# ipv6
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

testing with iptables

iptables -A INPUT -s 9.9.9.9 -j DROP

testing with ipset

ipset -N myset iphash
ipset -A myset 9.9.9.9
iptables -I INPUT -m set --match-set myset src,dst -j DROP
iptables -I INPUT -m set --match-set myset src,dst -j LOG --log-prefix "myset denied: " --log-level 7
# running sudo dmesg should show the hits. 

My issue ended up being my block solution using ThreatSTOP was allowing all traffic since I had added my servers IP to a user defined list therefore matching the src IP rule early in the chain, rendering my block policy useless. Once I removed my IP all was well.

1    RETURN     all  --  anywhere             anywhere             match-set TSallowaddr src
2    RETURN     all  --  anywhere             anywhere             match-set TSallownet src
3    RETURN     all  --  anywhere             anywhere             match-set TSallowaddr dst
4    RETURN     all  --  anywhere             anywhere             match-set TSallownet dst
5    LOG        all  --  anywhere             anywhere             match-set TSblockaddr src LOG level warning prefix "ThreatSTOP-TSblock "
6    DROP       all  --  anywhere             anywhere             match-set TSblockaddr src
7    LOG        all  --  anywhere             anywhere             match-set TSblocknet src LOG level warning prefix "ThreatSTOP-TSblock "
8    DROP       all  --  anywhere             anywhere             match-set TSblocknet src
9    LOG        all  --  anywhere             anywhere             match-set TSblockaddr dst LOG level warning prefix "ThreatSTOP-TSblock "
10   DROP       all  --  anywhere             anywhere             match-set TSblockaddr dst
11   LOG        all  --  anywhere             anywhere             match-set TSblocknet dst LOG level warning prefix "ThreatSTOP-TSblock "
12   DROP       all  --  anywhere             anywhere             match-set TSblocknet dst
13   RETURN     all  --  anywhere             anywhere