how to know WHY my firewall block a particular IP?

[000]

Hello,

When we run

journalctl --no-pager | grep "TCP_IN Blocked"

we get the "attacks" to server.

Then I find a particular IP many, many times:

[[email protected] ~]# journalctl --no-pager | grep "TCP_IN Blocked" | grep '78.46.90.135'
Jun 18 23:55:02 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23953 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:55:03 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23954 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:55:05 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23955 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:55:09 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23956 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:55:17 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23957 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:55:33 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23958 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 18 23:56:05 pepsi.coke.com kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=23959 DF PROTO=TCP SPT=51290 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:02 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1343 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:03 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1344 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:05 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1345 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:09 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1346 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:17 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1347 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
Jun 19 00:00:33 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp2s0 OUT= MAC=MyMAC:0c:86:10:ed:35:02:08:00 SRC=78.46.90.135 DST=Mi.Ip.Public.Dedicated LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=1348 DF PROTO=TCP SPT=51506 DPT=4949 WINDOW=29200 RES=0x00 SYN URGP=0
thousands more ...

how I can know what rule in IPTABLES cause the BLOCK, or why this IP is blocked?

also why

journalctl -n 20 --no-pager | grep "TCP_IN Blocked" | grep '78.46.90.135'

show 7 records and not 20 ?

 

[GOT]

If you are using csf then grep the IP in /var/log/lfd.log

 

[000]

If you are using csf then grep the IP in /var/log/lfd.log

no master, CSF not is here.

Know you what is 0c:86:10:ed:35:02:08:00 ?

Whn we run

cat /sys/class/net/*/address

we get "MyMAC", also if we run the ifconig command.

Then what is 0c:86:10:ed:35:02:08:0:

MAC=MyMAC:0c:86:10:ed:35:02:08:0

??

 

[GOT]

That's your NIC's mac address.

I'm not aware of cPanel using iptables itself. You may have some other mechanism on play here though.

 

[quietFinn]

how I can know what rule in IPTABLES cause the BLOCK, or why this IP is blocked?

Firewall works so that all ports are closed, except those that are explicitly opened. It is normal that port 4949 is blocked.

 

[000]

Firewall works so that all ports are closed, except those that are explicitly opened. It is normal that port 4949 is blocked.

thanks, really is fine have closed 4949, I don't hve services in this port.
But wht is the rule to block IP ?

How I find the rule?, the reason of 78.46.90.135 is blocked, or others IP... ?

What is the police, the reason ? (correct of course, because 78.46.90.135 don't have reason to try connect to 4949)

 

[quietFinn]

How I find the rule?, the reason of 78.46.90.135 is blocked, or others IP... ?

What is the police, the reason ? (correct of course, because 78.46.90.135 don't have reason to try connect to 4949)

The log entries you showed means that connections to closed port 4949 were blocked.
If IP 78.46.90.135 was blocked in the firewall you would not see those log messages.

If your server is connected to internet there is always someone trying to connect to your server, and failing because the firewall is blocking it. Failed connection to a closed port does nothing (except creates a log entry).
That is normal, get used to it.

 

[000]

The log entries you showed means that connections to closed port 4949 were blocked.
If IP 78.46.90.135 was blocked in the firewall you would not see those log messages...

many thanks.

ah!, then this lines NOT means "78.46.90.135 BLOCKED"... now I understand why one and other record with same IP...
thanks by fixed my brain.

Maybe do you know why show 7 records and not 20 ? (I use journalctl -n 20 --no-pager | grep "TCP_IN Blocked" | grep '78.46.90.135')