Question

Is it possible to lock iptables?

Posted August 4, 2014 5.4k views

Some script is inserting at my iptables a rule to accept every traffic. That totally invalidate my next rejecting rules.

So is there some way to prevent that the script to add rules or find out the script or source who is inserting that rule?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Your server maybe hacked
If it is through the web server, upload directory is the most possible place
/tmp, or configured upload directories
If it is through SSH, init scripts should be checked

The following command may help:
sudo find / -type f -executable -exec grep -il “iptables” {} \; -print

It is hard to recover a compromised server, backup db & user uploaded content, then rebuild the server maybe easier.

  • One thing to mention, disable eth0 and do the check with DO’s console.
    Or enable private networking and start another droplet and check through the newly created droplet with private network, after all diagnostics is done destroy BOTH droplets.
    With what you found from those diagnostics work, apply fixes on a new droplet.
    Don’t try to fix the compromised server, it only worth keeping for offline diagnostics.

Submit an Answer