From: Bob Tellefson <bob@zooid.com>
To: netfilter@lists.netfilter.org
Subject: Re: use of the limiting options
Date: Mon, 31 Jan 2005 19:00:37 +0000 [thread overview]
Message-ID: <200501311900.37411.bob@zooid.com> (raw)
In-Reply-To: <7096989.1107132520756.JavaMail.rct@kale>
On Friday 28 January 2005 21:32, Tib wrote:
> Ahh, I was wondering about this. I had put the limit rule in place and the
> drop after it, and found that it apparently shut everything out. So do I
> need to do all three then?
>
> Establish rule
> Limit rule
> Drop rule
>
Here's a setup that works and shows the logic.
As noted by others, this is not a replacement for properly tightening your
sshd configuration. It is useful when you have ssh access from inside your
network and limited usage from outside. If you set the limit too low, you
will find your outside users complaining about erratic service.
#!/bin/sh
IPTABLES="iptables"
PER_MIN_LOG_LIMIT=30
NEW_SSH_PER_MIN_LIMIT=3
ISP_IFACE=eth0
#
###### routine ##### SSH LIMIT EXCEEDED - DO LOG/DROP
#
$IPTABLES -N do_drop_limited
$IPTABLES -A do_drop_limited -m limit --limit $PER_MIN_LOG_LIMIT/minute -j LOG
--log-prefix "__DROP LIMITED: "
$IPTABLES -A do_drop_limited -j DROP
#
###### routine ##### SSH LIMIT NOT EXCEEDED - LOG FOR INFO
#
$IPTABLES -N log_limited_service
$IPTABLES -A log_limited_service -m limit --limit $PER_MIN_LOG_LIMIT/minute -j
LOG --log-prefix "__LIMITED REQUEST: "
#
###### routine ##### SSH LIMIT
# limits number of incomming ssh connections per minute.
# NOTE: disable this one when your only access is from the outside
# to avoid being the victom of a mini DoS locking you out.
#
$IPTABLES -N ssh_limit
$IPTABLES -A ssh_limit -j log_limited_service
$IPTABLES -A ssh_limit -m limit --limit NEW_SSH_PER_MIN_LIMIT/minute
--limit-burst NEW_SSH_PER_MIN_LIMIT -j RETURN
$IPTABLES -A ssh_limit -j do_drop_limited
#
##### FORWARD RULES
#
# if we reject with reset, maybe we can prevent some hanging connections
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT
--reject-with tcp-reset
# assumes NEW without syn has already been taken care of
$IPTABLES -A FORWARD -p TCP -i $ISP_IFACE -m state --state NEW --dport 22 -j
ssh_limit
--
Bob Tellefson
Java network application development & hosting
next prev parent reply other threads:[~2005-01-31 19:00 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-25 18:54 use of the limiting options Tib
2005-01-25 19:08 ` Tib
2005-01-25 19:28 ` Tib
[not found] ` <294d5daa0501251137328fa4ff@mail.gmail.com>
[not found] ` <Pine.LNX.4.53.0501251340370.24829@altaica>
2005-01-25 19:51 ` Mark Moseley
2005-01-25 19:56 ` Tib
2005-01-25 20:17 ` Mark Moseley
2005-01-25 20:22 ` Tib
2005-01-26 7:58 ` Tib
2005-01-26 18:43 ` Mark Moseley
2005-01-28 21:32 ` Tib
[not found] ` <7096989.1107132520756.JavaMail.rct@kale>
2005-01-31 19:00 ` Bob Tellefson [this message]
2005-01-26 16:17 ` Jason Opperisano
2005-01-28 21:29 ` Tib
2005-01-31 3:44 ` Josh Nerius
2005-01-31 5:52 ` R. DuFresne
2005-03-02 10:33 ` forwarding internet connection elg3ne
2005-03-02 10:41 ` Essien Ita Essien
2005-03-02 12:34 ` Jörg Harmuth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200501311900.37411.bob@zooid.com \
--to=bob@zooid.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.