hello someone can help me
I have a server Almalinux 8.8
I request HTTPS, but when I try to send many requests to the server
Something in the system adds a firewall rule.
and the traffic is blocked for about 2-5 minutes.
I checked services. It’s only IP tables for network management
[root@apps ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@apps ~]# systemctl status nftables
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:nft(8)
[root@apps ~]# systemctl status fail2ban
Unit fail2ban.service could not be found.
This is the IP tables rule that is added
[root@apps iptables -S | grep 190.x.x.6
-A INPUT -s 190.x.x.6/32 -j DROP
A FORWARD -s 190.x.x.6/32 -j DROP
The kernel has nftables and the tool iptables
is a mere wrapper to nft
that does not show the entire ruleset. In order to see the whole ruleset, do:
sudon nft list ruleset
Although, if you really have nothing that would add anything, then there should be no rules at all.
this is happening
random ip are blocking
and are not persistent
[root@apps juan.alfonso]# iptables -S | grep DROP
-P FORWARD DROP
-A INPUT -s 61.177.172.136/32 -j DROP
-A INPUT -s 146.190.98.93/32 -j DROP
-A FORWARD -s 61.177.172.136/32 -j DROP
-A FORWARD -s 146.190.98.93/32 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[root@apps juan.alfonso]#
[root@apps juan.alfonso]#
[root@apps juan.alfonso]#
[root@apps juan.alfonso]# iptables -S | grep DROP
-P FORWARD DROP
-A INPUT -s 49.234.53.247/32 -j DROP
-A INPUT -s 201.130.126.166/32 -j DROP
-A INPUT -s 185.70.182.163/32 -j DROP
-A INPUT -s 78.153.140.30/32 -j DROP
-A INPUT -s 109.237.96.124/32 -j DROP
-A INPUT -s 218.92.0.29/32 -j DROP
-A FORWARD -s 49.234.53.247/32 -j DROP
-A FORWARD -s 201.130.126.166/32 -j DROP
-A FORWARD -s 185.70.182.163/32 -j DROP
-A FORWARD -s 78.153.140.30/32 -j DROP
-A FORWARD -s 109.237.96.124/32 -j DROP
-A FORWARD -s 218.92.0.29/32 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[root@apps juan.alfonso]#
I’ll repeat: nft list ruleset
shows all rules that are in the kernel. The iptables -S
shows only a subset.
If you boot with no service that would add rules to kernel, then there should be no rules at all (as shown by nft list ruleset
). Nothing should set the policy to drop for chain FORWARD either. In fact, there should not be any chain FORWARD. (First run of iptables -S
does add some empty chains.)
If the machine does boot with no rules and all the rules that do mysteriously pop in look like added by iptables, then whatever adds them does so via iptables
commands.
You do have Docker running. Does it by any chance adjust firewall rules?
yes, I am working with docker
I’ll find out exactly how docker manipulates the IP tables
and yes, something adds rules
let´s show how it happens
IP addresses are added to the drop policy
[root@apps /]# date & nft list ruleset | grep drop
[1] 947252
Tue Nov 7 08:53:06 -05 2023
ip saddr 106.58.179.130 counter packets 19 bytes 1456 drop
ip saddr 125.39.182.205 counter packets 62 bytes 3672 drop
ip saddr 58.221.60.227 counter packets 70 bytes 4516 drop
ip saddr 165.232.46.80 counter packets 25 bytes 2720 drop
type filter hook forward priority filter; policy drop;
ip saddr 106.58.179.130 counter packets 0 bytes 0 drop
ip saddr 125.39.182.205 counter packets 0 bytes 0 drop
ip saddr 58.221.60.227 counter packets 0 bytes 0 drop
ip saddr 165.232.46.80 counter packets 0 bytes 0 drop
oifname “docker0” counter packets 0 bytes 0 drop
[1]+ Done date
[root@apps /]#
[root@apps /]# date & nft list ruleset | grep drop
[1] 947416
Tue Nov 7 08:53:19 -05 2023
ip saddr 106.58.179.130 counter packets 19 bytes 1456 drop
ip saddr 125.39.182.205 counter packets 63 bytes 3732 drop
ip saddr 58.221.60.227 counter packets 70 bytes 4516 drop
ip saddr 165.232.46.80 counter packets 25 bytes 2720 drop
type filter hook forward priority filter; policy drop;
ip saddr 106.58.179.130 counter packets 0 bytes 0 drop
ip saddr 125.39.182.205 counter packets 0 bytes 0 drop
ip saddr 58.221.60.227 counter packets 0 bytes 0 drop
ip saddr 165.232.46.80 counter packets 0 bytes 0 drop
oifname “docker0” counter packets 0 bytes 0 drop
[1]+ Done date
[root@apps /]#
here there are one more IP in the drop list
[root@apps /]# date & nft list ruleset | grep drop
[1] 947515
Tue Nov 7 08:53:29 -05 2023
ip saddr 52.184.202.95 counter packets 9 bytes 1125 drop
ip saddr 106.58.179.130 counter packets 19 bytes 1456 drop
ip saddr 125.39.182.205 counter packets 63 bytes 3732 drop
ip saddr 58.221.60.227 counter packets 74 bytes 4756 drop
type filter hook forward priority filter; policy drop;
ip saddr 52.184.202.95 counter packets 0 bytes 0 drop
ip saddr 106.58.179.130 counter packets 0 bytes 0 drop
ip saddr 125.39.182.205 counter packets 0 bytes 0 drop
ip saddr 58.221.60.227 counter packets 0 bytes 0 drop
oifname “docker0” counter packets 0 bytes 0 drop
[1]+ Done date