> My Netfilter firewall (unfortunately) is running also > my Apache web server, FTP server and Telnet daemon. > I honestly think this is ok but its confusing me with > the whole firewall aspect. One could argue about security, but it's not uncommon. > I wanted to allow new packets to go to my Linux box > such as port 21 and 80 but only about 4 new connections > per second. > /sbin/iptables -A PREROUTING -i eth0 -p tcp -d x.x.x.x > --dport 21 -m state > --state NEW -m limit --limit 4/second -j DNAT --to x.x.x.x > > Whereas x.x.x.x is my IP that my ISP assigns me. Or would I use > the following; > > /sbin/iptables -A PREROUTING -i eth0 -p tcp -d x.x.x.x > --dport 21 -m state > --state NEW -m limit --limit 4/second -j DNAT --to 192.168.0.1 If you're running servers on the firewall itself, packets sent to the server are going to the INPUT chain ; you don't have to redirect the traffic if your servers are accessible on your external IP. The INPUT chain is in the filter table. If you don't specify a table (-t <tablename>) on the iptables line, the filter table is assumed when creating the rule. Besides, the filter table has no PREROUTING chain so both rules above would not work anyway. I guess this rule would do the trick for http : (/sbin/iptables -P INPUT DROP) (/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT) /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m limit --limit 4/second -j ACCEPT As for telnet : you might want to switch to ssh if possible. Telnet!=secure because everything is sent in plaintext. Rob
