Re: Strange behaviour of REDIRECT/ipt_recent

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@lists.netfilter.org
Cc: Sven Geggus <sven@gegg.us>
Subject: Re: Strange behaviour of REDIRECT/ipt_recent
Date: Fri, 23 Sep 2005 07:55:15 -0500	[thread overview]
Message-ID: <200509230755.21161.rob0@gmx.co.uk> (raw)
In-Reply-To: <20050922211815.GA3701@diesel.geggus.net>

On Thursday 22 September 2005 16:18, Sven Geggus wrote:
> the following rule works fine so far
> (redirect any connection to a given IP to Port 22):
>
> iptables -t nat -A PREROUTING  -p tcp ! --dport 22 -d $SSHIP -j \
> REDIRECT --to-port 22
>
> But now I need to restrict Connections to 3 accesses per minute to
> prevent DOS-Attacken by means of Portscans:
>
> iptables -A INPUT -i eth0 -p tcp -d $SSHIP -m state --state NEW \
> -m recent --set --name SSH

You changed the destination IP in the REDIRECT rule. I can only guess 
that $SSHIP is not the primary IP of eth0.

> I suspect that the redirect rule may change the destination IP to the
> default IP of eth0, but I would consider this to be a bug.

Why guess? From "man iptables":
   REDIRECT
      ...redirects the packet to the machine itself by changing
      the destination IP to the primary address of the incoming
      interface  (locally-generated  packets are mapped  to the
      127.0.0.1 address).

You're getting the intended (documented) behaviour. Perhaps you will 
want to mangle/MARK these packets before REDIRECT.

This whole exercise seems odd to me. Why force all TCP into one port? 
Your sshd is sure to complain about all the non-SSH protocol traffic 
it's getting. </dev/lightbulb comes on> Are you trying to ssh from 
sites with brain-dead restrictive firewalls? And you don't know in 
advance which ports they might allow out?

If so I see the sense in it. Consider, however, the possibility that 
these sites are allowing NO direct traffic out. It is possible to 
create the illusion of Internet access by using proxy servers. Their 
proxy won't handle your SSH.

Have you talked to the site administrator[s]? I know, most of them 
wouldn't know what you're talking about, and you would frighten them. 
But, you seem to be deliberately doing something which goes against 
their security policy. If you hit their proxy servers with your SSH 
traffic, they might come seeking YOU.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

next prev parent reply	other threads:[~2005-09-23 12:55 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-09-22 21:18 Strange behaviour of REDIRECT/ipt_recent Sven Geggus
2005-09-23 12:55 ` /dev/rob0 [this message]
2005-09-24 12:56 ` Sorin Panca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200509230755.21161.rob0@gmx.co.uk \
    --to=rob0@gmx.co.uk \
    --cc=netfilter@lists.netfilter.org \
    --cc=sven@gegg.us \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox