iptables not blocking access via ports?
I’m running Debian 8.11 with iptables v1.4.21 and ipset v6.23, protocol version: 6.
I’m trying to block access to certain ports for all but a small set of hosts, but it doesn’t seem to be working.
First of all, I put a small list of IP addresses into an ipset list called allowed-hosts. Then, after running sudo /sbin/iptables -F and sudo /sbin/iptables -X, I issue the following commands:
sudo /sbin/iptables -I INPUT -p tcp -m multiport --destination-port 110,143,993,995 -j DROP
sudo /sbin/iptables -I INPUT -p tcp -m multiport --destination-port 110,143,993,995 -m set --match-set allowed-hosts src -j ACCEPT
However, even after doing this, clients from IP addresses that are not present allowed-hosts are still successfully connecting to all of the named ports.
There are no other iptables rules in effect.
Here are the results of sudo /sbin/iptables -L …
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports pop3,imap2,imaps,pop3s match-set allowed-hosts src
DROP tcp -- anywhere anywhere multiport dports pop3,imap2,imaps,pop3s
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And here are the results of sudo /sbin/iptables-save …
# Generated by iptables-save v1.4.21 on Wed Jun 8 11:53:09 2022
*security
:INPUT ACCEPT [16777464:2727427757]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18889599:33356814491]
COMMIT
# Completed on Wed Jun 8 11:53:09 2022
# Generated by iptables-save v1.4.21 on Wed Jun 8 11:53:09 2022
*raw
:PREROUTING ACCEPT [21444955:3000669583]
:OUTPUT ACCEPT [18889599:33356814491]
COMMIT
# Completed on Wed Jun 8 11:53:09 2022
# Generated by iptables-save v1.4.21 on Wed Jun 8 11:53:09 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Jun 8 11:53:09 2022
# Generated by iptables-save v1.4.21 on Wed Jun 8 11:53:09 2022
*mangle
:PREROUTING ACCEPT [21444955:3000669583]
:INPUT ACCEPT [21444952:3000669415]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18889599:33356814491]
:POSTROUTING ACCEPT [18889599:33356814491]
COMMIT
# Completed on Wed Jun 8 11:53:09 2022
# Generated by iptables-save v1.4.21 on Wed Jun 8 11:53:09 2022
*filter
:INPUT ACCEPT [2130649:527089827]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4465281:1887206637]
-A INPUT -p tcp -m multiport --dports 110,143,993,995 -m set --match-set allowed-hosts src -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,143,993,995 -j DROP
COMMIT
# Completed on Wed Jun 8 11:53:09 2022
What might I be doing incorrectly?
Thank you in advance.
**UPDATE**
First of all, "src" indeed is being specified, contrary to what was suggested in the comment below. It appears in the "… src -j ACCEPT" line, above.
Secondly, the syntax of these iptables commands that I am using comes from what is shown both in the iptables docs and in discussions that were found via web searches.
Thirdly, look above at the iptables -L output. This clearly shows that connections to the ports should be accepted from source=anywhere to destination=anywhere for the IP addresses in the allowed-hosts list. This also clearly shows that connections to the ports should be dropped from source=anywhere to destination=anywhere for the IP addresses that are not in the allowed-hosts list.
At least that’s what iptables seems to be telling me. However, connections to these ports from IP addresses that are not in the allowed-hosts list are still being accepted on my machine.
Also, if I do ipset test allowed-hosts aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" represents an IP address which is not in allowed-hosts, I properly get this following output:
aaa.bbb.ccc.ddd is NOT in set allowed-hosts.
And if I do ipset test allowed-hosts www.xxx.yyy.zzz, where "www.xxx.yyy.zzz" represents an IP address which is in allowed-hosts, I properly get this following output:
www.xxx.yyy.zzz is in set allowed-hosts.
Looking at the output from iptables-save, above, what else in my configuration could be causing these connections to ports not in allowed-hosts to be accepted?
Thank you again, in advance.
It turns out that this is working, after all. I am very, very sorry for the false alarm.
I incorrectly thought that it wasn’t working properly for the following reason …
I am using both postfix and dovecot, and I have set up postfix to use dovecot to perform its authentication services.
I have set up dovecot to write its debug and logging messages to a file called /var/log/mailclient.log, while postfix is configured to log via syslog.
I wasn’t thinking clearly, and forgot about the fact that postfix‘s authentication attempts would also cause entries to appear in this same dovecot log file, given that dovecot is the one that is performing this postfix authentication.
I am only using my iptables rules to block pop3 and imap (ports 110, 143, 993, and 995), and I am not blocking postfix‘s ports.
Given this way in which I set up postfix authentication, there are entries in that /var/log/mailclient.log file for all of the postfix login attempts, as well as for the dovecot login attempts. I was not paying attention well when reading those entries in this log file, and I mistakenly thought that they were login attempts for pop3 and imap, instead of smtp login attempts. Therefore, I mistook these smtp login attempts (which I am not blocking) for pop3 and imap login attempts.
Once I understood my error, I more carefully examined and analyzed my dovecot log file, and I now realize that indeed, none of the pop3 nor imap connections are coming to dovecot, except for those which originate from the small subset of hosts which I have put into my "allowed-hosts" ipset list.
Therefore, the iptables entries that I have listed above are indeed working properly, after all.
Once again, I apologize for my false alarm, and I’m just glad that this is working.
Perhaps this question and discussion could help someone else in the future who might make the same mistake as I made.