I have a Redhat 7.3 firewall between a Microsoft Ethernet and the Internet. We have been experiencing a series of unauthorized login attempts. I've determined the IP addess ranges involved in these login attempts and I've entered the following DROP commands in iptables to block further login attempts:

iptables –A INPUT –s 200.0.0.0/24 –j DROP
iptables –A INPUT –s 218.0.0.0/24 –j DROP
iptables –A INPUT –s 219.0.0.0/24 –j DROP
iptables –A INPUT –s 168.226.0.0/24 –j DROP

All but one of these commands displays like the following example when displaying a listing of iptables:

DROP all -- 200.0.0.0/24 anywhere

The command, iptables –A INPUT –s 219.0.0.0/24 –j DROP, displays as:

DROP all -- YahooBB219000000000.bbtee.net/24 anywhere.

Unauthorized login attempts received from the 219 IP address range have continued, while the other three IP address ranges have had no further attempts recorded since I entered these commands in iptables.

I've also entered this command in iptables, attempting to block this hole.
iptables –A INPUT –s 219.153.0.0/24 –j DROP

After all these entries, I'm still receiving unauthorized login attempts from IP addresses:

219.153.151.200
219.153.151.77
219.153.150.251
219.153.153.215

Can you explain why I'm receiving the strange Yahoo listing in iptables when I enter the iptables –A INPUT –s 219.0.0.0/24 –j DROP command while the other commands I've entered do not exhibit this strange results?

Is there anything you can offer to assist me in blocking packets received from IP addresses 219.0.0.0 through 219.255.255.255?

Thanks

Well the problem is:

You probably want:

iptables -I INPUT 0 -s 219.153.151.0/24 -j DROP

this will insert it as the FIRST rule in the input chain (this is location it should be).

For starters, this is only going to block 219.153.0.0 through 219.153.0.255. If you want to block the whole range that is assigned to APNIC, then use 219.0.0.0/8. This is a really large range to block. You may want to check the APNIC website to see where these IP addresses have been assigned and block only those subnets.

For more information about CIDR check

http://www.petri.co.il/what's_cidr.htm

Thank you both markus1982 and stickman.

markus1982, I've inserted the DROP rules at the top of the table. It didn't like the 0 after INPUT but worked fine when I let it default to the top of the table. All the rules display properly now. Do you have any idea why I was receiving the strange "DROP all -- YahooBB219000000000.bbtee.net/24 anywhere" listing when I had appended this rule to the end of the table, but receive -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP when inserting it at the top of hte table? The advice I've recevied from you and stickman all makes sense to me with the exception of this issue.

I've checked with APNIC and would like to block this entire range. We've been receiving unauthorized login attempts both through APNIC and LANNIC. As we do not do business in either of these regions, I would like to throw a large a net as possible.

I've modified the rules as you've suggested and inserted them at the top of the table. Thanks for the pointer to the CIDR information. That cleared up my confusion with the rule notation. This is what the top of the table looks like now:

[0:0] -A INPUT -s 168.226.0.0/255.255.0.0 -j DROP
[0:0] -A INPUT -s 200.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 218.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP


Thanks for all your help. Just one more quick question you may be able to help me with. I notice the notation at the start of each rule line [0:0] doesn't denote rule numbers. Does the numbering of rules in iptables start with 0 or 1?

mm_jth

Well it would have been 1 then probably ... it is ages ago I've used something alike.
This is just what it resolves to.

This is simple:
[packets:bytes]

could be also kbytes or mbytes depending on the traffic...