You are not logged in.
- Topics: Active | Unanswered
#1 2015-01-17 18:36:50
- mattj
- Member
- Registered: 2015-01-17
- Posts: 2
iptables rate limiting ssh
I am attempting to setup the simple stateful firewall as found in the wiki together with rate limiting for ssh.
My current iptables configuration generated with iptables-save is as follows
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [89835:260383930]
:IN_SSH - [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH
-A IN_SSH -m recent --rcheck --seconds 10 --hitcount 3 --rttl --name sshbf --mask 255.255.255.255 --rsource -j DROP
-A IN_SSH -m recent --rcheck --seconds 1800 --hitcount 4 --rttl --name sshbf --mask 255.255.255.255 --rsource -j DROP
-A IN_SSH -m recent --set --name sshbf --mask 255.255.255.255 --rsource -j ACCEPT
COMMITHowever this prevents me from sshing into my machine at all. My question is do I need to add:
-A TCP -p tcp --dport 22 -j ACCEPTAt some point in my iptables file? I did add this at the end of the file but then rate limiting was not applied.
Offline
#2 2015-01-17 18:53:46
- mattj
- Member
- Registered: 2015-01-17
- Posts: 2
Re: iptables rate limiting ssh
I have managed to get this working by amending my iptables.rules to the following
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [34648:99223119]
:IN_SSH - [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A IN_SSH -m recent --rcheck --seconds 10 --hitcount 3 --rttl --name sshbf --mask 255.255.255.255 --rsource -j DROP
-A IN_SSH -m recent --rcheck --seconds 1800 --hitcount 4 --rttl --name sshbf --mask 255.255.255.255 --rsource -j DROP
-A IN_SSH -m recent --set --name sshbf --mask 255.255.255.255 --rsource -j ACCEPT
COMMITCould anyone tell me why the
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSHNeeds to be placed where it is shown above? All it states on the wiki is that if you have followed it to this stage then the placement will work.
Offline
#3 2015-01-17 23:16:37
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,489
Re: iptables rate limiting ssh
-A INPUT -p tcp -j REJECT --reject-with tcp-resetCould anyone tell me why the
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSHNeeds to be placed where it is shown above? All it states on the wiki is that if you have followed it to this stage then the placement will work.
Yes, to have an effect it needs to be placed before your rule to reject the remaining traffic (see your reject rule above). The part you missed for it in the wiki reads "..now ensure that:
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
is in an appropriate position in the iptables.rules file. "
Offline