Some script is inserting at my iptables a rule to accept every traffic. That totally invalidate my next rejecting rules.
So is there some way to prevent that the script to add rules or find out the script or source who is inserting that rule?
Your server maybe hacked
If it is through the web server, upload directory is the most possible place
/tmp, or configured upload directories
If it is through SSH, init scripts should be checked
The following command may help:
sudo find / -type f -executable -exec grep -il “iptables” {} \; -print
It is hard to recover a compromised server, backup db & user uploaded content, then rebuild the server maybe easier.
One thing to mention, disable eth0 and do the check with DO’s console.
Or enable private networking and start another droplet and check through the newly created droplet with private network, after all diagnostics is done destroy BOTH droplets.
With what you found from those diagnostics work, apply fixes on a new droplet.
Don’t try to fix the compromised server, it only worth keeping for offline diagnostics.