This should normally not work, on a plain and basic iptables firewall, so I am rather surprised if it does:
/sbin/iptables -I INPUT -s 115.84.0.0/16 -j DROP
While this should work (on a plain and basic iptables firewall, but possible not on the SME server.)
/sbin/iptables -A INPUT -s 115.84.0.0/16 -j DROP
Reason the first statement uses -I (insert) that will insert a rule in the bottom of the rule stack, after the rule that open for port 25, so it will (should) have no effect.
If a packet is first validated against the rule that allows port 25 (the ordinary rule) it will newer "see" the rule that says "drop all packets from network 115.84.0.0"
If on the other hand, the variant no 2 with -A (append) is used then the new rule is "appended" at the top of the rulestack where it will have priority before an other existing rule that says "accept traffic to port 25".
After doing improper and irregular modifications of the sme server firewall for years, I know two things can or will happen sooner or later:
1. The not so bad, but bad enough thing: Your "extra rules" will be removed by the server, and from time to time you will notice that they are not there, and you will have to apply them again.
2. The bad variant: The server will lock off completely, the firewall will block all connections, no traffic will be allowed to go in and out and you will not be able to make a ssh logon.
I don't know why this locking of the firewall occur (when doing improper firewalls modifications). It did not use to happen on the earlier versions of the SME server, but it has happened a couple of times for me, doing improper modifications of the 7.x firewall.
The procedure in the FAQ uses -A and not -I that should put the new blocking rule in the right position. Then also a correct procedure, modifying the templates will not have the other side effect like rules that is just disappearing in the thin air, or a locked server/gateway. So "the FAQ way" should definitely be the right way of doing it.
A little question to besterl:
/sbin/iptables -A INPUT -s 115.84.0.0/16 -j DROP
This statement says something like: Drop all packets with ip source addresses in the range from 115.84.1.1 to 115.84.254.254
The FAQ only mention how to block one and one ip but what you mention is to block ranges of 254x254 ip's, one for each line.
For a basic iptables firewall using ranges this way, does work, and I guess it will work for the SME server as well, even though I think that the FAQ does not mention it explicitly.
When you does it like this blocking for 254x254 souce addresses, line by line, you does it quite effectively, and there is a lot of source ip addresses that is locked out, something like 200x254x254
How can you know that those source addresses is the right ones ? Could it be that you are blocking more than the unwanted traffic ?
(I’m curious because I would like to use the list myself, if I knew which ones those IP's are.)
By the way, I am not doing improper and "illegal" modifications of the SME server firewall any more
11 Replies
3091 Views