I just wrote some rules for iptables but I found that they don't work as I spected. The strange behavior is that, if I use this config: # Generated by iptables-save v1.2.5 on Fri Nov 22 15:40:19 2002 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT #)fp SMTP Acepto conexciones desde todos los IPs -A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute --limit-burst 5 -m tcp -p tcp --dport 25 --syn -j LOG -A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute --limit-burst 5 -m tcp -p tcp --dport 25 --syn -j ACCEPT -A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j LOG -A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT #)fp Pedidos a los DNS remotos deben pasar -A INPUT -s 0/0 -m tcp -p tcp --sport 53 -d 0/0 -j ACCEPT -A INPUT -s 0/0 -m udp -p udp --sport 53 -d 0/0 -j ACCEPT #)fp Acepto SSH -A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 22 -j ACCEPT #)fp Rejecto el resto de los UDP y TCP con SYN y logueo -A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j LOG -A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j REJECT -A INPUT -s 0/0 -d 0/0 -m udp -p udp -j LOG -A INPUT -s 0/0 -d 0/0 -m udp -p udp -j REJECT COMMIT the limit does not work as it should (it restrict my SMTP connections before the limit is reach, it start blocking the second or third connection). But if I put the ssh line just before the SMTP one, all works fine (the burst work and the limit too). Do you think this is normal? Could be some bug? Do I miss something? I try this several time just changing the line I told and the result was always the same. The config that works is this: # Generated by iptables-save v1.2.5 on Fri Nov 22 15:40:19 2002 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT #)fp Acepto SSH -A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 22 -j ACCEPT #)fp SMTP Acepto conexciones desde todos los IPs #)fp Pruebas de limites -A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute --limit-burst 5 -m tcp -p tcp --dport 25 --syn -j LOG --log-prefix FEDE -A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute --limit-burst 5 -m tcp -p tcp --dport 25 --syn -j ACCEPT -A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j LOG --log-prefix FEDE2 -A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT #-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 25 -j LOG --log-prefix FEDE2 #-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT #)fp Pedidos a los DNS remotos deben pasar -A INPUT -s 0/0 -m tcp -p tcp --sport 53 -d 0/0 -j ACCEPT -A INPUT -s 0/0 -m udp -p udp --sport 53 -d 0/0 -j ACCEPT #)fp Rejecto el resto de los UDP y TCP con SYN y logueo -A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j LOG -A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j REJECT -A INPUT -s 0/0 -d 0/0 -m udp -p udp -j LOG -A INPUT -s 0/0 -d 0/0 -m udp -p udp -j REJECT COMMIT The tests was done in RH 7.1 on Vmware and RH7.2 un PIII. Both systems updates and with standard distro software. If you need any extra information, let me know.... Thank you very much.... -- Federico Petronio petronio@agro.uba.ar Linux User #129974 --- Unix IS user friendly. It's just selective about who its friends are.
