RE: tool to search within cidr blocks

["Joey" <Joey@Web56.net>]

Hey Grant,
Here is what I can tell you.
I run iptables -F which is supposed to clear everything.
I then load my config and what you see as a result of that load is what you
see in the iptables-save result.

I have a script that builds the iptables-save.cfg file from a file
containing IP numbers only.
When I build the script you can see that certain things happen based on the
fact that I am reading in values and building each "chain" in order, so you
won't see all the defining of the chains at the top like the iptables-save
version.

Now I could be missing something somewhere in my declarations, but the code
is working in general.  I see IP's being blocked, as you can see I do a lot
of logging to insure I know what's going on.

The chains for fail2ban are built and managed by that app so I don't mess
with them.

I completely rebooted the box prior to doing the below.  Normally I never
rebooted the box, but new kernel came out so I figured we will start from a
clean slate.

I did a reduced list test:
----------------------------------------------------
My quick file which is created by my app:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:SMTP_TRAFFIC - [0:0]
-A INPUT -p tcp --dport 25 -m state --state NEW -j SMTP_TRAFFIC
:LOG_ASIAN - [0:0]
:CIDR-ASIAN - [0:0]
-A SMTP_TRAFFIC -j CIDR-ASIAN
-A LOG_ASIAN -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN"
-A LOG_ASIAN -j DROP
-A CIDR-ASIAN -s 58.14.0.0/15 -j LOG_ASIAN
-A CIDR-ASIAN -s 58.16.0.0/13 -j LOG_ASIAN
-A CIDR-ASIAN -s 58.24.0.0/15 -j LOG_ASIAN
-A CIDR-ASIAN -s 58.29.0.0/16 -j LOG_ASIAN
-A CIDR-ASIAN -s 58.30.0.0/15 -j LOG_ASIAN
-A CIDR-ASIAN -s 58.32.0.0/11 -j LOG_ASIAN
COMMIT
----------------------------------------------------
I executed iptables-restore < above-file
----------------------------------------------------
Executing iptables --list results in:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
SMTP_TRAFFIC  tcp  --  anywhere             anywhere            tcp dpt:smtp
state NEW 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain CIDR-ASIAN (1 references)
target     prot opt source               destination         
LOG_ASIAN  all  --  58.14.0.0/15         anywhere            
LOG_ASIAN  all  --  58.16.0.0/13         anywhere            
LOG_ASIAN  all  --  58.24.0.0/15         anywhere            
LOG_ASIAN  all  --  58.29.0.0/16         anywhere            
LOG_ASIAN  all  --  58.30.0.0/15         anywhere            
LOG_ASIAN  all  --  58.32.0.0/11         anywhere            

Chain LOG_ASIAN (6 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            LOG level
warning prefix `SPAM-BLOCK-CIDR-ASIAN' 
DROP       all  --  anywhere             anywhere            

Chain SMTP_TRAFFIC (1 references)
target     prot opt source               destination         
CIDR-ASIAN  all  --  anywhere             anywhere      
----------------------------------------------------
Executing iptables-save resulted in:
# Generated by iptables-save v1.2.11 on Fri Oct 24 00:08:34 2008
*filter
:INPUT ACCEPT [1091:155172]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1287:150175]
:CIDR-ASIAN - [0:0]
:LOG_ASIAN - [0:0]
:SMTP_TRAFFIC - [0:0]
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j SMTP_TRAFFIC 
-A CIDR-ASIAN -s 58.14.0.0/255.254.0.0 -j LOG_ASIAN 
-A CIDR-ASIAN -s 58.16.0.0/255.248.0.0 -j LOG_ASIAN 
-A CIDR-ASIAN -s 58.24.0.0/255.254.0.0 -j LOG_ASIAN 
-A CIDR-ASIAN -s 58.29.0.0/255.255.0.0 -j LOG_ASIAN 
-A CIDR-ASIAN -s 58.30.0.0/255.254.0.0 -j LOG_ASIAN 
-A CIDR-ASIAN -s 58.32.0.0/255.224.0.0 -j LOG_ASIAN 
-A LOG_ASIAN -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN" 
-A LOG_ASIAN -j DROP 
-A SMTP_TRAFFIC -j CIDR-ASIAN 
COMMIT
# Completed on Fri Oct 24 00:08:34 2008
----------------------------------------------------

Let me know what you see or think...

Thanks!!!!!

Joey





> -----Original Message-----
> From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org]
> On Behalf Of Grant Taylor
> Sent: Thursday, October 23, 2008 11:01 PM
> To: Mail List - Netfilter
> Subject: Re: tool to search within cidr blocks
> 
> On 10/23/2008 7:38 PM, Joey wrote:
> > Great catch I totally missed that in my code that builds the save file.
> > That has been corrected.
> > http://web56.net/iptables-save.cfg
> >
> > this is the result of iptables-save
http://web56.net/iptables-save-output
> > Thanks!
> 
> Forgive me if I think something /REALLY/ weird is going on.
> 
> I have looked through both your iptables-save.cfg and your
> iptables-save-output (which don't match each other) and I'm stumped.
> I've noticed that both your iptables-save.cfg and your
> iptables-save-output files have lines that appear to be in a different
> (alphabetical(?)) order than the packets passed through your kernel.
> 
> Please flush all your tables / chains to kernel defaults and then apply
> your config file and then provide an iptables-save output again.  Also,
> please provide the output of this command "iptables -t filter -L -n -v
-x".
> 
> I /REALLY/ fell like there is something unknown to you that is outside
> of what you have presented to us.  I have no idea what it is.
> 
> Do you realize that you are jumping to your "fail2ban-postifx" chain to
> immediately RETURN to the chain that you jumped from?
> 
> Also, you are not using your "fail2ban-postfix-log" chain at all.
> 
> 
> 
> 
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html