On Wed, Sep 7, 2016 at 9:14 AM, Grant <emailgr...@gmail.com> wrote: >>>> Hi, my site is being ravaged by an IP but dropping the IP via >>>> shorewall is seeming to have no effect. I'm using his IP from nginx >>>> logs. IP blocking in shorewall has always worked before. What could >>>> be happening? >>> >>> >>> I'm blocking like this with the firewall running on the web server: >>> >>> /etc/shorewall/rules >>> DROP net:1.2.3.4 $FW >>> >>> Could shorewall/iptables see a different IP address than the one seen by >>> nginx? >> >> >> Most likely the file is configured but the firewall service wasn't >> restarted or the rules no loaded. > > > I restarted shorewall plenty. :) I believe the issue was either a > persistent connection which conntrack-tools would have allowed me to > flush, or my blocking in /etc/shorewall/rules instead of > /etc/shorewall/blrules, or both. >
What exactly is your issue? That is, what makes you think you even have an issue? The reason I ask is that all iptables is going to do is drop packets when they reach the kernel. They still go through your network and network card and consume some CPU (even more if you're logging them). If you're being flooded by a very large volume of packets then that will saturate your connection and simply dropping them at the server won't fix the latency this will cause for the good packets. In such an attack you need to block those packets as far upstream as you can before connections start getting saturated. This might be outside of your network perimeter. This is why DDoS attacks are so potent, if you use something like fail2ban to just set iptables are done you're fixing the barn doors after the horses have already left. -- Rich
