IP being blocked even when in csf.allow and csf.ignore

Post Reply
Malagana
Junior Member
Posts: 4
Joined: 25 Nov 2015, 00:08

IP being blocked even when in csf.allow and csf.ignore

Post by Malagana »

One IP is being blocked in iptables even when I already added to the csf.allow and csf.ignore I don't know what CSF rule is doing that, because I don't find anything related to the IP in system logs. If I check the iptables I found a DROP line when the IP is already blocked. Yesterday I enabled the WATCH_MODE but I don't know how to identify the cause of the block for the IP.

Any ideas?

This is the IP tables result match for the ip before WATCH_MODE

Code: Select all

INPUT            1       16   968 DROP       all  --  *      *       187.189.115.106      0.0.0.0/0
INPUT            51       0     0 ACCEPT     all  --  *      *       187.189.115.106      0.0.0.0/0

FORWARD          1        0     0 DROP       all  --  *      *       187.189.115.106      0.0.0.0/0

ALLOWIN          4     267K  134M ACCEPT     all  --  !lo    *       187.189.115.106      0.0.0.0/0

ALLOWOUT         4     223K  447M ACCEPT     all  --  *      !lo     0.0.0.0/0            187.189.115.106
And this is after WATCH_MODE enabled:

Code: Select all

Chain            num   pkts bytes target     prot opt in     out     source               destination
INPUT            2     4477  265K LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: I:INPUT '
INPUT            52       0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: O:INPUT '

ALLOWIN          1     4477  265K LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: I:ALLOWIN '
ALLOWIN          5     337K  191M LOGACCEPT  all  --  !lo    *       187.189.115.106      0.0.0.0/0
ALLOWIN          133      0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: O:ALLOWIN '

ALLOWOUT         1        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: I:ALLOWOUT '
ALLOWOUT         5     271K  437M LOGACCEPT  all  --  *      !lo     0.0.0.0/0            187.189.115.106
ALLOWOUT         133      0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: O:ALLOWOUT '

DENYIN           1        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: I:DENYIN '
DENYIN           8        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: O:DENYIN '

DENYOUT          1        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: I:DENYOUT '
DENYOUT          8        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: O:DENYOUT '

INVALID          1        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: I:INVALID '
INVALID          12       0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: O:INVALID '

INVDROP          1        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: I:INVDROP '
INVDROP          13       0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: O:INVDROP '

LOCALINPUT       1     4477  265K LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: I:LOCALINPUT '
LOCALINPUT       5        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: O:LOCALINPUT '

LOGACCEPT        1     4477  265K LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: I:LOGACCEPT '
LOGACCEPT        3        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: O:LOGACCEPT '

LOGDROPIN        1        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: I:LOGDROPIN '
LOGDROPIN        6        0     0 LOG        tcp  --  *      *       187.189.115.106      0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 4 prefix `Firewall: O:LOGDROPIN '
Top
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: IP being blocked even when in csf.allow and csf.ignore

Post by ForumAdmin »

csf does not add DROP rules for IP addresses into the FORWARD chain, so something is adding that rule externally from csf.

Edit: Additionally, the DROP line in the INPUT chain is not by csf either as it does not use that chain to drop IP addresses in that way, so something else is adding those rules.
Top
Malagana
Junior Member
Posts: 4
Joined: 25 Nov 2015, 00:08

Re: IP being blocked even when in csf.allow and csf.ignore

Post by Malagana »

I guessed that the IP blocking is not being done by CSF, first I thought it was maybe cpHulk but it it is disabled. Right now I don't know where else to look any hint will be appreciated.
Top
Malagana
Junior Member
Posts: 4
Joined: 25 Nov 2015, 00:08

Re: IP being blocked even when in csf.allow and csf.ignore

Post by Malagana »

Just for the record. After the hint in the first comment, I found the program that was banning the IP and it was OSSEC not CSF
Top
Post Reply

Return to “General Discussion (csf)”