From: Aj Mirani <debsec@tucows.com>
To: Stratos Margaritis <stratism@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Why is this not working???
Date: Wed, 26 Apr 2006 08:57:26 -0400 [thread overview]
Message-ID: <20060426125726.GI5568@orbitor.ops.internal.tucows.com> (raw)
In-Reply-To: <200604251615.03991.stratism@gmail.com>
Why not put something like this into your INPUT chain:
-A INPUT -p tcp -m tcp --dport 22 -s xxx.xxx.xxx.xxx/28 -d yyy.yyy.yyy.yyy -j ACCEPT
Also for your line:
-A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
This is a server wide limit not a per host limit which depending on what
you're trying to prevent may not be the best way to do it.
If you are trying to prevent a syn attack but still want the server to
respond to legitimate requests try something like this:
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --set --name SYNATTACK --rsource
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 20 --hitcount 10 --name SYNATTACK --rsource -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
This dynamically put hosts on a 'blacklist' who are trying to connect
too fast (more that 10 times in a 20 second period.) with the use of
--update it will keep them blacklisted as long as they continue to send
packets too fast.
On Tue, Apr 25, 2006 at 04:14:59PM +0300, Stratos Margaritis wrote:
> Can someone help me find out why is this rule does not work?
>
> *filter
> :INPUT DROP [1803:271102]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -p tcp -j REJECT --reject-with tcp-reset
> -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
> -A FORWARD -p tcp -i eth0 -s xxx.xxx.xxx.xxx/28 -o eth1 -d yyy.yyy.yyy.yyy -j
> ACCEPT
> -A FORWARD -j LOG
>
> Where xxx.xxx.xxx.xxx is a real network that should be allowed to contact the
> server yyy.yyy.yyy.yyy both of which are having real IP's.
>
>
> --
> Stratos
> stratism@gmail.com
--
Aj Mirani
Network Operations
Tucows.com Inc
next prev parent reply other threads:[~2006-04-26 12:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-25 13:14 Why is this not working??? Stratos Margaritis
2006-04-26 11:42 ` Samuel Díaz García
2006-04-26 11:44 ` Cedric Blancher
2006-04-26 11:49 ` Rob Sterenborg
2006-04-26 12:57 ` Aj Mirani [this message]
2006-04-27 7:13 ` Stratos Margaritis
2006-04-27 14:30 ` Aj Mirani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060426125726.GI5568@orbitor.ops.internal.tucows.com \
--to=debsec@tucows.com \
--cc=netfilter@lists.netfilter.org \
--cc=stratism@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.