Can not block countries in CSF firewall
Posted: 20 Sep 2015, 10:37
I have blocked several countries in csf.conf file. Restarted CSF/LFD.
IWhen I check the Nginx logfile it shows the following:
The logfile id full of connections from China and other blocked countries.
Any ideas why my CSF does not block connections from blocked countries? What I am doing wrong?
Code: Select all
CC_DENY = "CN,BR,CA,HK,TW,RO,RU,UA,MD,KZ,TH"
Code: Select all
61.135.190.69 - - [17/Sep/2015:05:23:41 +0100] "GET /s5.css HTTP/1.1" 403 198 "-" "Mozilla/4.0 (comptible; MSIE 8.0; Windows NT 6.0)"
158.69.27.74 - - [17/Sep/2015:09:42:36 +0100] "GET / HTTP/1.1" 403 570 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"
111.206.36.132 - - [20/Sep/2015:05:47:28 +0100] "GET /s5.css HTTP/1.1" 403 198 "-" "Mozilla/4.0 (comptible; MSIE 8.0; Windows NT 6.0)"
Code: Select all
61.135.190.69 - China
158.69.27.74 - Canada
111.206.36.132 - China
Any ideas why my CSF does not block connections from blocked countries? What I am doing wrong?
Code: Select all
perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Code: Select all
csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_DENY'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_DENY'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_DENY'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_DENY'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOG tcp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP6IN Blocked* "
LOG tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* "
LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP6IN Blocked* "
LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP6OUT Blocked* "
LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP6IN Blocked* "
LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* "
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt in * out * ::/0 -> ::/0
DROP all opt in * out * ::/0 -> ::/0
DENYOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DENYIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ALLOWOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ALLOWIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
DENYOUT all opt in * out !lo ::/0 -> ::/0
DENYIN all opt in !lo out * ::/0 -> ::/0
ALLOWOUT all opt in * out !lo ::/0 -> ::/0
ALLOWIN all opt in !lo out * ::/0 -> ::/0
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt in * out * ::/0 -> ::/0
INVALID tcp opt in !lo out * ::/0 -> ::/0
INVALID tcp opt in * out !lo ::/0 -> ::/0
csf: FASTSTART loading csf.deny (IPv4)
csf: FASTSTART loading csf.deny (IPv6)
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading CC_DENY [cn] (IPv4)
csf: FASTSTART loading CC_DENY [br] (IPv4)
csf: FASTSTART loading CC_DENY [ca] (IPv4)
csf: FASTSTART loading CC_DENY [hk] (IPv4)
csf: FASTSTART loading CC_DENY [tw] (IPv4)
csf: FASTSTART loading CC_DENY [ro] (IPv4)
csf: FASTSTART loading CC_DENY [ru] (IPv4)
csf: FASTSTART loading CC_DENY [ua] (IPv4)
csf: FASTSTART loading CC_DENY [md] (IPv4)
csf: FASTSTART loading CC_DENY [kz] (IPv4)
csf: FASTSTART loading CC_DENY [th] (IPv4)
CC_DENY all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
CC_DENY all opt in !lo out * ::/0 -> ::/0
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in !lo out * ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in * out !lo ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 0
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 11
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 3
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 11
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 3
ACCEPT icmpv6 opt in !lo out * ::/0 -> ::/0
ACCEPT icmpv6 opt in * out !lo ::/0 -> ::/0
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt in lo out * ::/0 -> ::/0
ACCEPT all opt in * out lo ::/0 -> ::/0
LOGDROPOUT all opt in * out !lo ::/0 -> ::/0
LOGDROPIN all opt in !lo out * ::/0 -> ::/0
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0