What is triggered first, IPTABLES or MODSEC?

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
Post Reply
Sergio
Forum User
Forum User
Posts: 99
Joined: Sat Jan 17, 2009 2:19 pm

What is triggered first, IPTABLES or MODSEC?

Unread post by Sergio »

Hi,
I have the following scenario:

I have a global deny file where IPs are blacklisted, in there is an IP 75.135.132.235. Also, I have blacklisted the same IP in one of my mod_sec rules.

To my understanding, when this IP is trying to connect to the server, it will be blocked by IPTABLES so the connection will be stopped. But something weird is happening, look at the modsec log:
2009-12-18 21:27:23 75.135.132.235 /guestbook.php?do=do_sign HTTP/1.1 www.somedomain.com Access denied with code 406 (phase 2). Matched phrase "75.135.132.235" at REMOTE_ADDR. [file "/usr/local/apache/conf/modsec_rules/00_asl_rbl.conf"] [line "10"] [id "350002"] [rev "2"] [msg "IP Match: SPAMMER is in My Blacklist"] [severity "ERROR"] 406
So, the question is, why the IP was blocked by the modsec rule if it has to be stopped at the very momment of trying to connect to the server?

Is this a security issue that IPTABLE didn't stop this?

What do you think?

Regards,
Sergio
Top
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:
Contact scott

Re: What is triggered first, IPTABLES or MODSEC?

Unread post by scott »

Your firewall rules occur at layer 3, so if they are set up correctly it would stop there. If you're looking for more information on how to do this, check out our book:
http://www.amazon.com/Troubleshooting-L ... 877&sr=8-1

You've probably got your order wrong
Top
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4155
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: What is triggered first, IPTABLES or MODSEC?

Unread post by mikeshinn »

(Thread moved because this is not an ASL issue, this is regarding custom iptable rules on a non-ASL system)

Exactly. iptables happens down at the kernel and network interface level, so its always comes before something like apache (and therefore modsec). The most common mistakes people make with iptable rules are using "-A" instead of "-I" for a rule. -A means append, -I means insert. -A puts the rule at the bottom of the list - usually *after* their allow rules. netfilter is first come first served, from first to last. So when it hits a match, it processes it and if an earlier rule allow traffic to port 80 then that will match before a later rule blocking an IP and the later rule will never match.

We wrote a whole book on troubleshooting iptable rules, or you could just use ASL which does blacklisting easily with iptables. :-)
Top
Sergio
Forum User
Forum User
Posts: 99
Joined: Sat Jan 17, 2009 2:19 pm

Re: What is triggered first, IPTABLES or MODSEC?

Unread post by Sergio »

Thank you Scott and Mike,
I will do a check on this.

Regards,
Sergio
Top
Post Reply

Return to “General Help and Development Discussion”