how to know WHY my firewall block a particular IP?

000

Well-Known Member
Jun 3, 2008
427
18
68
Hello,

When we run
Code:
journalctl --no-pager | grep "TCP_IN Blocked"
we get the "attacks" to server.

Then I find a particular IP many, many times:
Code:
[[email protected] ~]# journalctl --no-pager | grep "TCP_IN Blocked" | grep '78.46.90.135'
Jun 18 23:55:02 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23953 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:55:03 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23954 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:55:05 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23955 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:55:09 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23956 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:55:17 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23957 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:55:33 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23958 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:56:05 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23959 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:02 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1343 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:03 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1344 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:05 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1345 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:09 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1346 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:17 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1347 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:33 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1348 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
thousands more ...
how I can know what rule in IPTABLES cause the BLOCK, or why this IP is blocked?

also why
Code:
journalctl -n 20 --no-pager | grep "TCP_IN Blocked" | grep '78.46.90.135'
show 7 records and not 20 ?
 

000

Well-Known Member
Jun 3, 2008
427
18
68
If you are using csf then grep the IP in /var/log/lfd.log
no master, CSF not is here.

Know you what is 0c:86:10:ed:35:02:08:00 ?

Whn we run
Code:
cat /sys/class/net/*/address
we get "MyMAC", also if we run the ifconig command.

Then what is 0c:86:10:ed:35:02:08:0:
Code:
MAC=MyMAC:0c:86:10:ed:35:02:08:0
??
 

quietFinn

Well-Known Member
Feb 4, 2006
1,302
130
193
Finland
cPanel Access Level
Root Administrator
how I can know what rule in IPTABLES cause the BLOCK, or why this IP is blocked?
Firewall works so that all ports are closed, except those that are explicitly opened. It is normal that port 4949 is blocked.
 

000

Well-Known Member
Jun 3, 2008
427
18
68
Firewall works so that all ports are closed, except those that are explicitly opened. It is normal that port 4949 is blocked.
thanks, really is fine have closed 4949, I don't hve services in this port.
But wht is the rule to block IP ?

How I find the rule?, the reason of 78.46.90.135 is blocked, or others IP... ?

What is the police, the reason ? (correct of course, because 78.46.90.135 don't have reason to try connect to 4949)
 

quietFinn

Well-Known Member
Feb 4, 2006
1,302
130
193
Finland
cPanel Access Level
Root Administrator
How I find the rule?, the reason of 78.46.90.135 is blocked, or others IP... ?

What is the police, the reason ? (correct of course, because 78.46.90.135 don't have reason to try connect to 4949)
The log entries you showed means that connections to closed port 4949 were blocked.
If IP 78.46.90.135 was blocked in the firewall you would not see those log messages.

If your server is connected to internet there is always someone trying to connect to your server, and failing because the firewall is blocking it. Failed connection to a closed port does nothing (except creates a log entry).
That is normal, get used to it.
 
  • Like
Reactions: cPRex

000

Well-Known Member
Jun 3, 2008
427
18
68
The log entries you showed means that connections to closed port 4949 were blocked.
If IP 78.46.90.135 was blocked in the firewall you would not see those log messages...
many thanks.

ah!, then this lines NOT means "78.46.90.135 BLOCKED"... now I understand why one and other record with same IP...
thanks by fixed my brain.

Maybe do you know why show 7 records and not 20 ? (I use journalctl -n 20 --no-pager | grep "TCP_IN Blocked" | grep '78.46.90.135')