Re: iptables not behaving the way I expected

To: debian-user@lists.debian.org
Subject: Re: iptables not behaving the way I expected
From: Franck Joncourt <franck.joncourt@wanadoo.fr>
Date: Fri, 20 Apr 2007 22:35:23 +0200
Message-id: <[🔎] 20070420203523.GA7783@toystory.lan>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 87hcrb1xwa.fsf@fjellstad.org>
References: <[🔎] 46267D8D.107@dreampossible.ca> <[🔎] 87hcrb1xwa.fsf@fjellstad.org>

On Thu, Apr 19, 2007 at 09:18:45PM -0700, John L Fjellstad wrote:
> Jim Hyslop <jhyslop@dreampossible.ca> writes:
>
> Hello, all
>
> I've set my SSH to accept only public key authorization, and forwarded
> port 22 from the Big Bad Internet to my Debian box. Predictably, I'm
> being hit by a lot of dictionary attempts to log in. A while back,
> someone posted a link in this list to a blog that gave an Iptables
> recipe to limit connections to 5 per minute per IP address. So, I issued
> the commands:
>
> iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \
> -m recent --set --name SSH
>
> iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \
> -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH \
> -j DROP
>

These are the rules I use for my ftp server, and it works fine :

iptables -A lan_in_new -p tcp --syn --dport 21 -m recent \
	--set--name ftp_hits_list2
iptables -A wan_in_new -p tcp --syn --dport 21 -m recent --rcheck \
	--seconds 300 --hitcount 4 --name ftp_hits_list2 -j reject_all
iptables -A lan_in_new -p tcp --syn --dport 21 -j ACCEPT

First of all, I add ip address to the list, then I update counters
(4hits/300s) and drop packets if it doe no match this rules. Otherwise I
ACCEPT packets.

This is just an example you may have to update according to your default
policy and ruleset.

> but that didn't throttle back the attempts. I tried '-i eth0' instead of
> ethLRZ, but no effect.

What do you mean you tried *-i eth0* ? You have defined ethLRZ, haven't you ?

> 'iptables -L' shows:
>

Take a look at *iptables -L -v* in order to make sure your rules are set
on the right interfaces. Moreover, you will be able to know how many
packets a rules has matched.

> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> tcp -- anywhere anywhere tcp dpt:ssh state NEW
> recent: SET name: SSH side: source
> DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW
> recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: SSH side: source
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination

You may have forgotten to set your default policy. According to what you
wrote, your default policy is ACCEPT for INPUT, FORWARD, and OUTPUT
chains. This is not safe, since you accept all incoming and outgoing
traffic.

-- 
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: iptables not behaving the way I expected
  - From: Franck Joncourt <franck.joncourt@wanadoo.fr>
- Re: iptables not behaving the way I expected
  - From: Jim Hyslop <jhyslop@dreampossible.ca>

References:
- iptables not behaving the way I expected
  - From: Jim Hyslop <jhyslop@dreampossible.ca>
- Re: iptables not behaving the way I expected
  - From: John L Fjellstad <john-debian@fjellstad.org>

Prev by Date: Re: Oh, yeah: Unable to switch to TTY from X
Next by Date: Re: iptables not behaving the way I expected
Previous by thread: Re: iptables not behaving the way I expected
Next by thread: Re: iptables not behaving the way I expected
Index(es):
- Date
- Thread