Which is the first line of defense, iptables or nginx?

themew · November 21, 2025, 3:02pm

Magento using the nginx template blocks all .php being executed and the logs display

access forbidden by rule

however, the ip address in the log that flooded the site looking for executable php files is listed in my ipdb 7 day list.

List comes from: https://raw.githubusercontent.com/borestad/blocklist-abuseipdb/refs/heads/main/abuseipdb-s100-7d.ipv4 and auto updates successfully every night.

IP is: 128.251.11.144

iptables is set to deny :

iptables -S | grep set
-A INPUT -p tcp -m set --match-set ipdb7day src -j DROP

So wondering why this is ip, that should have been blocked by iptables was able to get through. Site doesn’t use Cloudflare so the actual ip was seen by the server.

sahsanu · November 21, 2025, 3:29pm

Are you sure the offending ip was in the list when it visited your web site?

Double check that the ip is included in the current ipset.

ipset test ipdb7day 128.251.11.144

Also show all your iptables rules:

iptables -S

themew · November 21, 2025, 3:53pm

Thanks @sahsanu , you found my error.

I had assumed (worst word of them all) that since the IP was listed in the 3 day, 7 day and 14 day list, that it was in the list that was downloaded when the cron ran this morning.

However, I neglected to check the test command and sure enough, it wasn’t being blocked. Guessing the ip somehow dropped from the list between github updating the list.

Checking other random IPs from the current 7 day list, they’re all found and being blocked.

Thanks again for your help. You’re a huge asset to the Hestia team and forum.