Re: more limiting fun

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tib wrote:

| Ok, I've done some fiddling but still have some issues. I went with
| some recommendations on what people said and here's what I have.
| The first three rules of my startup set are as follows:
|
| iptables -A INPUT -i eth0 -p tcp --dport 22 -m state \ --state
| ESTABLISHED -j ACCEPT

So your OUTPUT policy is ACCEPT and you have no rule there saying that
SSH is forbidden - really ? And you start the connection from the
firewall box ? If so (and you do no filtering in mangle and nat) it
should work. So I believe that you want to connect *to* your firewall
box and not *from*. Then you need something like

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state \
~   --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 2 -m state \
~   --state ESTABLISHED -j ACCEPT


Or an OUTPUT policy of ACCEPT. That should do it.

|
| iptables -A INPUT -i eth0 -p tcp --destination-port 22 -m limit \
| --limit 15/hour --limit-burst 5
|
| iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j DROP
|
|
| This places (as directed), the established-accept rule first, my
| limit preferences second, and the drop last.
|
| The problem is that it still does exactly what it did before,
| namely that it doesn't respond at all once those rules are in
| place. Anyone have an idea what's going on? I know my ssh port
| isn't getting hammered THAT hard.
|
| <EOL> Tib


Have a nice time

Joerg

- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth@xxxxxxxxx
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCDNiit9fkjiZ7IE8RAuJSAJ9gpdygBJ9eb1rQARINr9NePPVvlACeMf/H
R2H+NPj9n+5I2Yl+mGvd5C4=
=ebHg
-----END PGP SIGNATURE-----




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux