Article 13046 at 08/05/23 04:50:25 From: dan (at mark) dogsbody.org Subject: [coba-e:13046] Re: Confused...

Index: [Article Count Order] [Thread]

Date:  Thu, 22 May 2008 20:50:12 +0100
From:  Dogsbody <dan (at mark) dogsbody.org>
Subject:  [coba-e:13046] Re: Confused...
To:  coba-e (at mark) bluequartz.org
Message-Id:  <4835CE74.40905 (at mark) dogsbody.org>
In-Reply-To:  <010101c8bc3c$f5c8db20$6400a8c0@HPPAVILION>
References:  <010101c8bc3c$f5c8db20$6400a8c0@HPPAVILION>
X-Mail-Count: 13046

> I have a given IP address from Australia that has been HTTP flooding my site
> a couple of times, and I have added the IP address to my IPTables.  I can
> see it in the IPTables listing:
> DROP       all  --  60-240-249-207.tpgi.com.au  anywhere            
> DROP       all  --  60-240-249-206.tpgi.com.au  anywhere  
> Yet, they are still able to flood my server.  How can this be?

Is there a rule earlier on in your listings that traffic would match 
allowing it in?

Traffic coming in runs through all the rules until it hits an ALLOW, 
DROP, etc. so if there is an ALLOW before it that matches it will never 
reach the DROP.

Make sure things like whitelists and blocklists are at the beginning of 
your iptables rules [1].

Dan

[1] Unless you have a HUGE blocklist in which case you may want it at 
the end.