I'm not used to IPTABLES much... So I am most likely missing something really basic here.

I have added an IPTABLES entry for a src IP to dpt: 80, yet they are still hitting the site? BTW... I know I can block them via HTTP accept/deny rules, but I was using my tempban script which I used to block all network activity temporarily for all services, and was surprised when they still kept hitting.

output from iptables:

DROP       tcp  --  109.68.105.30        0.0.0.0/0           tcp dpt:80

in the apache logs, I see entries for that ip after the change like nothing happened.

[Tue May 15 10:02:47 2012] [error] [client 109.68.105.30] script '/www/vhosts/cumulus/bugyou.php' not found or unable to stat

Not sure why this would still be.

I originally just did a drop for that IP to everything like:

output from iptables:

DROP       all  --  109.68.105.30       0.0.0.0/0 

However, it had the same non-affect which is where I started looking into the issue.

The two rules i used were:

for the drop all

iptables -A INPUT -s 109.68.105.30 -j DROP 

for the drop the specific port

iptables -A INPUT -i eth0 -p tcp -s 109.68.105.30 --destination-port 80 -j DROP

On possibility is that perhaps it is coming in via ip6? but I would expect that to show in the apache logs.

Ref: If it makes a difference... the output of iptables -L -n --line-numbers:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    fail2ban-apache  tcp  --  0.0.0.0/0            0.0.0.0/0           
2    fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           
3    fail2ban-ssh-ddos  tcp  --  0.0.0.0/0            0.0.0.0/0           
4    fail2ban-apache-noscript  tcp  --  0.0.0.0/0            0.0.0.0/0           
5    fail2ban-dovecot-pop3imap  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 110,143 
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
7    REJECT     all  --  0.0.0.0/0            127.0.0.0/8         reject-with icmp-port-unreachable 
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2222 
12   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2025 
15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143 
16   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110 
17   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21 
18   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:50000:50050 
19   LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: ' 
20   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
21   DROP       all  --  188.32.251.111       0.0.0.0/0           
22   DROP       all  --  110.82.210.117       0.0.0.0/0           
23   DROP       all  --  98.111.6.197         0.0.0.0/0           
24   DROP       tcp  --  109.68.105.30        0.0.0.0/0           tcp dpt:80 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-noscript (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-dovecot-pop3imap (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh-ddos (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0   

_________________
Kevin a.k.a. Dweeber

Their packets are matching INPUT line 9 (accept tcp dpt:80), so the drop on INPUT line 24 is never being hit. (Indeed, nothing after line 20 should ever hit.)

_________________

/* TODO: need to add signature to posts */

Okay, that makes sense. Wasn't looking at this right...

That means I just need to change my script to insert temp rules so that they go to the top of the chain.

The actual rule would look like (Using -I instead of -A).

iptables -I INPUT -s 109.68.105.30 -j DROP

or

iptables -I INPUT -i eth0 -p tcp -s 109.68.105.30 --destination-port 80 -j DROP

tempdrop script... (Wont persist past reboot or reload of rules)...

#!/bin/bash
##########################
if [ $# -eq 0 ]
then
   echo "$0 : Need To Provide IP or IP/CIDR to add temp drop"
exit
fi
echo 
echo "Temp Drop IP Block [$1]"
echo "Adds temp droop for IP at the top of the chain"
echo "--------------------------------------------------------------"
echo CMD: iptables -A INPUT -s $1 -j DROP
iptables -I INPUT -s $1 -j DROP
echo

_________________
Kevin a.k.a. Dweeber