Page 1 of 1

iptables changes suddenly by itself (SOLVED)

Posted: 2016/06/23 14:33:28
by amiredx
Hi
I have applied the following rules to my iptables:
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

but after it changes to something like this:
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- 130.158.6.120 anywhere
DROP all -- a104-86-110-74.deploy.static.akamaitechnologies.com anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- !127.63.239.108 !127.20.164.105 icmp port-unreachable connmark match !0x643651f3
DROP tcp -- !127.118.196.105 !127.147.220.99 tcp spts:61001:65535 flags:RST/RST connmark match !0x776e9f8e


Applying the rules again and restarting was not effective. So i stopped some services: httpd, named, dovecot, squid, vncserver, proftpd, postfix.
Nothing changed. It's my first experience and really i'm scared of rootkit and i tested some monitoring commands and rootkit scanners but shows nothing.
Welcome any suggestion ?

Re: iptables changes suddenly

Posted: 2016/06/23 14:38:41
by TrevorH
Do you have something like fail2ban running?

Re: iptables changes suddenly

Posted: 2016/06/23 15:15:17
by amiredx
I know fail2ban is not installed. If you can guide me to similar softwares.

Re: iptables changes suddenly

Posted: 2016/06/24 02:09:58
by Whoever
How did you update the rules and did you save them after updating?

Re: iptables changes suddenly

Posted: 2016/06/24 22:46:21
by amiredx
I found it! Its added to output chain filter by softether vpn to enable secure nat. Indeed its secure.

Re: iptables changes suddenly

Posted: 2016/07/02 10:19:07
by imort
amiredx wrote:I found it! Its added to output chain filter by softether vpn to enable secure nat. Indeed its secure.
I'd recently have exactly the same issue on one of my servers
My first experience with SoftEther I believe :)

Not used to it, OpenVPN never ever add any iptables rules to your server so if it's not working then it's your own problem and you need to take a look on your iptables config. I'd even write an article about that, maybe it will be helpful for someone.