Blacklist Not Working as Expected

I have FreePBX 10.13.66-22 and System Firewall with Responsive Firewall enabled hosted at with one NIC assigned as Internet, with whitelisted networks for admin access. All services are local or local and other (default), including SIP. I am not sure this is correct configuration.

I have blacklisted IPs that are not being blocked. Here is an example:

BTW: the traffic IS blocked outbound apparently. There is only the INVITE received and apparently no reply sent.

It looks like you are using sngep, which will capture before iptables (firewall). The rest of the packet summary is missing. Showing just 1 packet being passed and the call just stuck in Call Setup because iptables dropped it instead of replying.

Is that what the full report summary shows?

1 Like

Yes, it shows just one packet arriving (invite) and no response. So it is working correctly. I did not know sngrep looked BEFORE iptables. That is somewhat counter intuitive as it seems iptables should always be first. Thanks for a new tidbit of knowledge.

Because like tcpdump, it captures via libpcap which is capturing the data as it enters or leaves the interface before/after all other pre/post mangles, rules, filters from iptables are applied. It’s pretty standard for most things.

What’s the best way to capture traffic after iptables?

You capture it on the interface it is leaving. Since you are using one interface, the traffic is going to come in the interface, sngrep/tcpdump/libpcap will output/capture the traffic and then iptables. But in this case the traffic is coming in the to the interface and that’s it. That’s the interface the traffic is destined for.

It sounds like things are working just fine, what more are you trying to figure out?

I am clear that the firewall is working as expected now that I understand the sequence. Thanks.
Matthew asked a new question a way to capture packets passed by iptables.

You probably don’t need to “capture” the packets, but you can have iptables “log” any packets to any “syslog” facility you choose , but be aware that too much verbosity can be system impactful.

Also it is unlikely to work with iptable rules you don’t have complete control over.

Maybe google for “iptables log all accepted packets”

I answered it. It captures/logs/filters traffic when it enters and leaves the Interface. That would mean incoming traffic would be captured before iptables and outgoing traffic would be captured after iptables.

@matthewljensen, you should probably make that a new question so the thread doesn’t get confusing. I accepted @BlazeStudios first answer as the solution.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.