iptables blocking funtoo.org

[sputnik]

Well, it's a weird one.  For a month or so I haven't been able to access any funtoo.org ip's, either from browser or ping, whatever.  I was busy with other things and worked out pretty quickly that it was localized on my everyday user laptop and discovered it was related to iptables, by stopping them I could access funtoo.org just fine, so I just lived with that for awhile.

Today I got serious about it and started removing lines from iptables one by one to find it.  Luckily it was line 2 in INPUT, deleted that and funtoo.org is accessible.  here is what it says:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
2     195M  201G IP4BOGONS  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0

Which goes to:

Chain IP4BOGONS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 883K  102M RETURN     all  --  *      *       10.0.0.0/8           0.0.0.0/0           
   18  1008 RETURN     all  --  *      *       172.16.0.0/12        0.0.0.0/0           
55910   25M RETURN     all  --  *      *       192.168.0.0/16       0.0.0.0/0           
 109K   25M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set fullbogons-ipv4 src

I have a cronjob that downloads a list several times a day from http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt and adds them to an ipset list.  It's a list of known "bogons", bogus ip addresses that are being used for...who knows, nothing good for me.  As you can see anything that matches that list doesn't get in the door.

So my next step was:

ipset list fullbogons-ipv4|grep "172.97.103.36"

Nope, no match.  Then I went to http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt and looked for 172.97.103.36 there.  Nope, ain't there either.  But still, for some reason it's apparently matching something somewhere on that list.  I can't explain it, but there it is.  Zero problems with any other ip's.  I've solved this for now by putting in a RETURN above the drop for 172.97.103.36, but I wanted to make the devs aware of it.  I've been using this iptables setup for a couple of years, this is the 1st time anything like this has happened.  I see on the front page of the wiki that Drobbins has been migrating containers to that address, the timing matches this problem.

[sputnik]

Hmm, except for the jira, I've got this in IP4BOGONS now:

Chain IP4BOGONS (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 RETURN     all  --  *      *       126.1.1.0/24         0.0.0.0/0           
2     883K  102M RETURN     all  --  *      *       10.0.0.0/8           0.0.0.0/0           
3       18  1008 RETURN     all  --  *      *       172.16.0.0/12        0.0.0.0/0           
4    55910   25M RETURN     all  --  *      *       192.168.0.0/16       0.0.0.0/0           
5        0     0 RETURN     all  --  *      *       172.97.103.0/24      0.0.0.0/0

Still don't get the dashboard or average age chart.  Apparently they come down a different ip than 172.97.103.1-192.97.103.255?  That is on the bogon list?  Weird.

[overkill]

172.97.103.0/24 is a subblock of 172.103.64.0/18, which is listed on SpamHaus' DROP list (Don't Route Or Peer).  Spamhaus has a good reputation so I'd say it's a legit block.  You might want to add ACCEPT rules for Funtoo's servers before your BOGON rules if they fall in this range.
 
Info on Spamhaus' DROP list is here.

 

EDIT:  This is pretty serious.  Funtoo's IP addresses lie in the subblock 172.97.100.0 - 172.97.103.255, which is registered to Brownrice Internet, Inc.  Someone should be actively proding Brownrice to get their subnet out of that block list if at all possible.

[sputnik]

Thanks overkill.

With 172.97.103.0/24 in the return list I'm ok here now, don't know what was up with the jira the night I originally posted, but I have access to all of Funtooland now.

However, the whole point of the post is what you pointed out in your last sentence.  I don't need help, it's solved here.

Edit: and here is the block on the list: 172.64.0.0/10

Which includes 172.64.0.1 - 172.127.255.254

Yet another edit: An update.  I just went to the master list linked in post #1, 172.64.0.0/10 is NOT there.  So apparently it popped up on the list a month or so ago, got added to my ipset and there it's stayed, even though they've taken it off the list.  So no action necessary, this whole post is a BOGON.

As you were men, belay my last.

[uudruid74]

172.97.103.0/24 is a subblock of 172.103.64.0/18, which is listed on SpamHaus' DROP list (Don't Route Or Peer). Spamhaus has a good reputation so I'd say it's a legit block. You might want to add ACCEPT rules for Funtoo's servers before your BOGON rules if they fall in this range.

 

Info on Spamhaus' DROP list is here.

 

EDIT: This is pretty serious. Funtoo's IP addresses lie in the subblock 172.97.100.0 - 172.97.103.255, which is registered to Brownrice Internet, Inc. Someone should be actively proding Brownrice to get their subnet out of that block list if at all possible.

Huh? 172.103.64.0/18 starts at 172.103.63.1 through 172.103.127.254. 172.97.*.* isn't included by that mask. Thank about it. 16 bits would take over the first two bytes and 18 bits is even longer.

 

You almost had me panicked. I was about to contact Steve and ask him what's up. I worked with him awhile back and I'm sure he remembers me.

 

Taglines suck. https://eddon.systems