From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: more limiting fun
Date: Fri, 11 Feb 2005 17:09:07 +0100 [thread overview]
Message-ID: <420CD8A3.3070003@mnemon.de> (raw)
In-Reply-To: <Pine.LNX.4.53.0502110936210.1996@altaica>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tib wrote:
| Ok, I've done some fiddling but still have some issues. I went with
| some recommendations on what people said and here's what I have.
| The first three rules of my startup set are as follows:
|
| iptables -A INPUT -i eth0 -p tcp --dport 22 -m state \ --state
| ESTABLISHED -j ACCEPT
So your OUTPUT policy is ACCEPT and you have no rule there saying that
SSH is forbidden - really ? And you start the connection from the
firewall box ? If so (and you do no filtering in mangle and nat) it
should work. So I believe that you want to connect *to* your firewall
box and not *from*. Then you need something like
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state \
~ --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 2 -m state \
~ --state ESTABLISHED -j ACCEPT
Or an OUTPUT policy of ACCEPT. That should do it.
|
| iptables -A INPUT -i eth0 -p tcp --destination-port 22 -m limit \
| --limit 15/hour --limit-burst 5
|
| iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j DROP
|
|
| This places (as directed), the established-accept rule first, my
| limit preferences second, and the drop last.
|
| The problem is that it still does exactly what it did before,
| namely that it doesn't respond at all once those rules are in
| place. Anyone have an idea what's going on? I know my ssh port
| isn't getting hammered THAT hard.
|
| <EOL> Tib
Have a nice time
Joerg
- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach
Tel.: (+49) 22 26 87 18 12
Fax: (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web: http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2 7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.
This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCDNiit9fkjiZ7IE8RAuJSAJ9gpdygBJ9eb1rQARINr9NePPVvlACeMf/H
R2H+NPj9n+5I2Yl+mGvd5C4=
=ebHg
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2005-02-11 16:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-11 15:43 more limiting fun Tib
2005-02-11 15:53 ` [OBORONA-SPAM] " Mikhail Zotov
2005-02-11 15:59 ` Tib
2005-02-11 15:53 ` Jason Opperisano
2005-02-11 16:05 ` Tib
2005-02-11 16:09 ` Jörg Harmuth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=420CD8A3.3070003@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.