Re: iptables not behaving the way I expected

On 4/18/07, Jim Hyslop <jhyslop@dreampossible.ca> wrote:
Hello, all

I've set my SSH to accept only public key authorization, and forwarded
port 22 from the Big Bad Internet to my Debian box. Predictably, I'm
being hit by a lot of dictionary attempts to log in. A while back,
someone posted a link in this list to a blog that gave an Iptables
recipe to limit connections to 5 per minute per IP address. So, I issued
the commands:

You can use DenyHosts,

read how here.


iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \
    -m recent --set --name SSH

iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \
    -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH \
    -j DROP

but that didn't throttle back the attempts. I tried '-i eth0' instead of
ethLRZ, but no effect.

'iptables -L' shows:

Chain INPUT (policy ACCEPT)
target     prot opt source     destination
           tcp  --  anywhere   anywhere     tcp dpt:ssh state NEW
recent: SET name: SSH side: source
DROP       tcp  --  anywhere   anywhere     tcp dpt:ssh state NEW
recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: SSH side: source

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

It looks right to my (non-expert) eye. Can anyone see what I've done wrong?

Oh, yeah - I'm running Sarge, in case that makes a difference.

