On May 10 2007 15:20, Patrick McHardy wrote:
>>
>> And the following cmd oopsed it:
>>
>> # iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW
>> -j sshcheck;
>
>
>I believe this is a bug in the compat code, which *seems* to call (its
>a bit messy, I just had a quick look) the destroy function without
>having called checkentry previously when something goes wrong. Which
>commands did you run before this?
A lot ... as far as the filter table and sshcheck is concerned,
iptables -N sshcheck;
iptables -A sshcheck -m recent --name sshcheck --seconds 60 --update -j DROP;
iptables -A sshcheck -m hashlimit --hashlimit-name sshcheck \
--hashlimit-mode srcip --hashlimit 4/min --hashlimit-burst 4 \
-j RETURN;
iptables -A sshcheck -m recent --name sshcheck --set -j DROP;
Jan
--
-
To unsubscribe from this list: send the line "unsubscribe sparclinux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
