I had a DDOS today on a webserver running debian sequeeze and blocked various IP-Adresses in iptables like so:
iptables -A INPUT -s 169.50.5.42 -j DROP
But it seems to not being dropping the traffic from these ip.
Listing all rules with iptables -L gives the following output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp
fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
DROP all -- 169.50.5.42-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.45-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.37-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.36-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.38-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.39-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.45-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.42-static.reverse.softlayer.com anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-pureftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 43.229.53.60 anywhere
RETURN all -- anywhere anywhere
Is there something that i missed?
I can answer myself. Apparently it needs some time to apply all changes internally. After one minute or so the rules are working.