Why not put something like this into your INPUT chain: -A INPUT -p tcp -m tcp --dport 22 -s xxx.xxx.xxx.xxx/28 -d yyy.yyy.yyy.yyy -j ACCEPT Also for your line: -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT This is a server wide limit not a per host limit which depending on what you're trying to prevent may not be the best way to do it. If you are trying to prevent a syn attack but still want the server to respond to legitimate requests try something like this: -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --set --name SYNATTACK --rsource -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 20 --hitcount 10 --name SYNATTACK --rsource -j DROP -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT This dynamically put hosts on a 'blacklist' who are trying to connect too fast (more that 10 times in a 20 second period.) with the use of --update it will keep them blacklisted as long as they continue to send packets too fast. On Tue, Apr 25, 2006 at 04:14:59PM +0300, Stratos Margaritis wrote: > Can someone help me find out why is this rule does not work? > > *filter > :INPUT DROP [1803:271102] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -p tcp -j REJECT --reject-with tcp-reset > -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT > -A FORWARD -p tcp -i eth0 -s xxx.xxx.xxx.xxx/28 -o eth1 -d yyy.yyy.yyy.yyy -j > ACCEPT > -A FORWARD -j LOG > > Where xxx.xxx.xxx.xxx is a real network that should be allowed to contact the > server yyy.yyy.yyy.yyy both of which are having real IP's. > > > -- > Stratos > stratism@xxxxxxxxx -- Aj Mirani Network Operations Tucows.com Inc
