Bug? IP addresses not blocked because LOGDROPIN is after ACCEPT

1 post Page 1 of 1
forbin
Junior Member
Posts: 1
Joined: 07 Nov 2019, 18:50


I am using "csf -td" to block certain IP addresses. This adds them to the LOGDROPIN chain. However, in the INPUT chain, LOGDROPIN comes AFTER the ACCEPT rules for specific ports, this effectively allows IP addresses that should be denied to still hit the computer via open ports. For example, even a blocked computer can connect to ports 80 and 443 here because they come before the LOGDROPIN chain. Is this a bug in CSF? Or, do I have it misconfigured somehow?

-A INPUT ! -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN
1 post Page 1 of 1