As a test, I started a TorBrowser, got its IP, and banned it via this command on my VPS:
sudo iptables -A INPUT -s <IP address> -j DROP
I'm still able to surf pages hosted by my server from the TorBrowser. I've even double checked the HTTP access.log to make sure the IP is what I banned, and it is. What am I missing?
My iptables file that gets read in upon boot (via iptables-restore)
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# IP bans
-A INPUT -s 42.121.24.80 -j DROP
-A INPUT -s 121.196.43.157 -j DROP
-A INPUT -s 192.30.85.135 -j DROP
-A INPUT -s 94.102.53.175 -j DROP
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
# Mail
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
# Minecraft
-A INPUT -p tcp --dport 25565 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
And iptables -L output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
DROP all -- out524-80.mail.aliyun.com anywhere
DROP all -- ip196.hichina.com anywhere
DROP all -- 192.30.85.135-IP-Static-VISPERAD.COM anywhere
DROP all -- tor-exit-nl1.privacyfoundation.dk anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
dmourati asked for
iptables -L INPUTfor a reason, aka your current rules.Before testing the torbrowser, you had the posted rules (or similar).
Now on the middle of it :
After that you executed
So your rule ended up AFTER you accepted all port 80 traffic, thus nothing to DROP since was already accepted.
You should have added the rule with
If you want to give priority to the drop command you need to insert (-I) it before the append (-A) command that allows port 80.
Order matters, try: