Re: Strange behaviour of REDIRECT/ipt_recent

[Sorin Panca <sorin.panca@gmail.com>]

Sven Geggus wrote:
> Hi there,
> 
> the following rule works fine so far
> (redirect any connection to a given IP to Port 22):
> 
> iptables -t nat -A PREROUTING  -p tcp ! --dport 22 -d $SSHIP -j REDIRECT \
> --to-port 22
> 
> But now I need to restrict Connections to 3 accesses per minute to prevent
> DOS-Attacken by means of Portscans:
> 
> iptables -A INPUT -i eth0 -p tcp -d $SSHIP -m state --state NEW -m recent \
> --set --name SSH
> iptables -A INPUT -i eth0 -p tcp -d $SSHIP -m state --state NEW -m recent \
> --update --seconds 60 --hitcount 4 --rttl --name SSH -j REJECT \
> --reject-with tcp-reset
> 
> Unfortunately this does not work as expected :(
> 
> It just works on port 22 but not on any other port.
> 
> I suspect that the redirect rule may change the destination IP to the
> default IP of eth0, but I would consider this to be a bug.
> 
> Can you confirm this? workarounds?
> 
> Sven
> 
> P.S.: Please CC me in the reply, because I am not subscribed to the list.
> 
if you want to access your ssh server from behind a transparent squid
proxy, try https (443) and messenger's ports. for yahoo it is 5050. i
did that successfully. i build a ssh tunnel and routed my default gw in
it. it worked like magic.
but beware to add a static route to your previos default gateway,
otherwise you will lose the connection to your sshd server host.
if there are some LANs behind the squid transparent proxy that you need
too access, set static routes for that too. you can put the script to
set up routes and iptables forwarding rules (if you want to be the
gateway for your friends in pain, and have them make you the default
gateway - you will need to set some bandwidth management for them) in
pppd config directory.