* more limiting fun
@ 2005-02-11 15:43 Tib
2005-02-11 15:53 ` [OBORONA-SPAM] " Mikhail Zotov
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Tib @ 2005-02-11 15:43 UTC (permalink / raw)
To: netfilter
Ok, I've done some fiddling but still have some issues. I went with some
recommendations on what people said and here's what I have. The first
three rules of my startup set are as follows:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state \
--state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --destination-port 22 -m limit \
--limit 15/hour --limit-burst 5
iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j DROP
This places (as directed), the established-accept rule first, my limit
preferences second, and the drop last.
The problem is that it still does exactly what it did before, namely that
it doesn't respond at all once those rules are in place. Anyone have an
idea what's going on? I know my ssh port isn't getting hammered THAT hard.
<EOL>
Tib
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [OBORONA-SPAM] more limiting fun
2005-02-11 15:43 more limiting fun Tib
@ 2005-02-11 15:53 ` Mikhail Zotov
2005-02-11 15:59 ` Tib
2005-02-11 15:53 ` Jason Opperisano
2005-02-11 16:09 ` Jörg Harmuth
2 siblings, 1 reply; 6+ messages in thread
From: Mikhail Zotov @ 2005-02-11 15:53 UTC (permalink / raw)
To: netfilter
On Friday 11 February 2005 18:43, Tib wrote:
> Ok, I've done some fiddling but still have some issues. I went with some
> recommendations on what people said and here's what I have. The first
> three rules of my startup set are as follows:
>
> iptables -A INPUT -i eth0 -p tcp --dport 22 -m state \
> --state ESTABLISHED -j ACCEPT
>
> iptables -A INPUT -i eth0 -p tcp --destination-port 22 -m limit \
> --limit 15/hour --limit-burst 5
>
> The problem is that it still does exactly what it did before, namely that
> it doesn't respond at all once those rules are in place. Anyone have an
> idea what's going on? I know my ssh port isn't getting hammered THAT hard.
AFAIU, the last line is incomplete: there is nowhere to "jump".
As for me, I would have added
-m state --state NEW
to it for clarity.
--
Mikhail
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OBORONA-SPAM] more limiting fun
2005-02-11 15:53 ` [OBORONA-SPAM] " Mikhail Zotov
@ 2005-02-11 15:59 ` Tib
0 siblings, 0 replies; 6+ messages in thread
From: Tib @ 2005-02-11 15:59 UTC (permalink / raw)
To: Mikhail Zotov; +Cc: netfilter
On Fri, 11 Feb 2005, Mikhail Zotov wrote:
> AFAIU, the last line is incomplete: there is nowhere to "jump".
> As for me, I would have added
>
> -m state --state NEW
>
> to it for clarity.
What would this do exactly (as in how would it affect where it falls in
the ruleset)? I think I have a grasp on it but I'd like to know for
certain.
<EOL>
Tib
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: more limiting fun
2005-02-11 15:43 more limiting fun Tib
2005-02-11 15:53 ` [OBORONA-SPAM] " Mikhail Zotov
@ 2005-02-11 15:53 ` Jason Opperisano
2005-02-11 16:05 ` Tib
2005-02-11 16:09 ` Jörg Harmuth
2 siblings, 1 reply; 6+ messages in thread
From: Jason Opperisano @ 2005-02-11 15:53 UTC (permalink / raw)
To: netfilter
On Fri, Feb 11, 2005 at 09:43:05AM -0600, Tib wrote:
> Ok, I've done some fiddling but still have some issues. I went with some
> recommendations on what people said and here's what I have. The first
> three rules of my startup set are as follows:
>
> iptables -A INPUT -i eth0 -p tcp --dport 22 -m state \
> --state ESTABLISHED -j ACCEPT
>
> iptables -A INPUT -i eth0 -p tcp --destination-port 22 -m limit \
> --limit 15/hour --limit-burst 5
this rule doesn't jump anywhere; therefore it is a non-terminating match
and all packets will continue on to...
> iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j DROP
...the rule that drops all inbound ssh traffic.
try adding a "-j ACCEPT" to the limit rule.
-j
--
"That's it! You people have stood in my way long enough. I'm going
to clown college!"
--The Simpsons
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: more limiting fun
2005-02-11 15:53 ` Jason Opperisano
@ 2005-02-11 16:05 ` Tib
0 siblings, 0 replies; 6+ messages in thread
From: Tib @ 2005-02-11 16:05 UTC (permalink / raw)
To: Jason Opperisano; +Cc: netfilter
I see. I tried a NEW for the jump target but it didn't like that, so I
tried accept instead. Now it seems to work just fine. Thanks everyone!
<EOL>
Tib
On Fri, 11 Feb 2005, Jason Opperisano wrote:
> On Fri, Feb 11, 2005 at 09:43:05AM -0600, Tib wrote:
> > Ok, I've done some fiddling but still have some issues. I went with some
> > recommendations on what people said and here's what I have. The first
> > three rules of my startup set are as follows:
> >
> > iptables -A INPUT -i eth0 -p tcp --dport 22 -m state \
> > --state ESTABLISHED -j ACCEPT
> >
> > iptables -A INPUT -i eth0 -p tcp --destination-port 22 -m limit \
> > --limit 15/hour --limit-burst 5
>
> this rule doesn't jump anywhere; therefore it is a non-terminating match
> and all packets will continue on to...
>
> > iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j DROP
>
> ...the rule that drops all inbound ssh traffic.
>
> try adding a "-j ACCEPT" to the limit rule.
>
> -j
>
> --
> "That's it! You people have stood in my way long enough. I'm going
> to clown college!"
> --The Simpsons
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: more limiting fun
2005-02-11 15:43 more limiting fun Tib
2005-02-11 15:53 ` [OBORONA-SPAM] " Mikhail Zotov
2005-02-11 15:53 ` Jason Opperisano
@ 2005-02-11 16:09 ` Jörg Harmuth
2 siblings, 0 replies; 6+ messages in thread
From: Jörg Harmuth @ 2005-02-11 16:09 UTC (permalink / raw)
To: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tib wrote:
| Ok, I've done some fiddling but still have some issues. I went with
| some recommendations on what people said and here's what I have.
| The first three rules of my startup set are as follows:
|
| iptables -A INPUT -i eth0 -p tcp --dport 22 -m state \ --state
| ESTABLISHED -j ACCEPT
So your OUTPUT policy is ACCEPT and you have no rule there saying that
SSH is forbidden - really ? And you start the connection from the
firewall box ? If so (and you do no filtering in mangle and nat) it
should work. So I believe that you want to connect *to* your firewall
box and not *from*. Then you need something like
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state \
~ --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 2 -m state \
~ --state ESTABLISHED -j ACCEPT
Or an OUTPUT policy of ACCEPT. That should do it.
|
| iptables -A INPUT -i eth0 -p tcp --destination-port 22 -m limit \
| --limit 15/hour --limit-burst 5
|
| iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j DROP
|
|
| This places (as directed), the established-accept rule first, my
| limit preferences second, and the drop last.
|
| The problem is that it still does exactly what it did before,
| namely that it doesn't respond at all once those rules are in
| place. Anyone have an idea what's going on? I know my ssh port
| isn't getting hammered THAT hard.
|
| <EOL> Tib
Have a nice time
Joerg
- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach
Tel.: (+49) 22 26 87 18 12
Fax: (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web: http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2 7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.
This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCDNiit9fkjiZ7IE8RAuJSAJ9gpdygBJ9eb1rQARINr9NePPVvlACeMf/H
R2H+NPj9n+5I2Yl+mGvd5C4=
=ebHg
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-02-11 16:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-11 15:43 more limiting fun Tib
2005-02-11 15:53 ` [OBORONA-SPAM] " Mikhail Zotov
2005-02-11 15:59 ` Tib
2005-02-11 15:53 ` Jason Opperisano
2005-02-11 16:05 ` Tib
2005-02-11 16:09 ` Jörg Harmuth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox