You are not logged in.
My iptables rules are not enforced. I recently reinstalled, and I'm re-using the same /etc/iptables/iptables.rules. They used to work, I tested them, but they don't seem to work anymore.
Here are the contents of my /etc/iptables/iptables.rules:
# Generated by iptables-save v1.4.2 on Fri Oct 24 01:00:22 2008
*filter
:INPUT ACCEPT [576:46438]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [354:62221]
:SSH - [0:0]
:SSH_ABL - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j SSH
-A SSH -m recent --update --seconds 3600 --name SSH_ABL --rsource -j REJECT --reject-with icmp-port-unreachable
-A SSH -m recent --rcheck --seconds 60 --hitcount 5 --name SSH --rsource -j SSH_ABL
-A SSH -m recent --rcheck --seconds 2 --name SSH --rsource -j LOG --log-prefix "RATE: "
-A SSH -m recent --update --seconds 2 --name SSH --rsource -j REJECT --reject-with icmp-port-unreachable
-A SSH -m recent --remove --name SSH_ABL --rsource -j LOG --log-prefix "ABL: -SSH: "
-A SSH -m recent --set --name SSH --rsource -j ACCEPT
-A SSH_ABL -m recent --set --name SSH_ABL --rsource -j LOG --log-prefix "ABL: +SSH: "
-A SSH_ABL -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Oct 24 01:00:22 2008
All it's supposed to do is limit SSH login attempts to 5 per hour (my router handles all the other ports). Like I said, it worked great before.
P.S. I found these rules here: http://www.itwire.com/content/view/13841/53/1/1/
Last edited by Convergence (2008-10-26 15:16:29)
It's a very deadly weapon to know what you're doing
--- William Murderface
Offline
#iptables -L
have you put iptables in rc.conf ?
Offline
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
SSH tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain SSH (1 references)
target prot opt source destination
REJECT all -- anywhere anywhere recent: UPDATE seconds: 3600 name: SSH_ABL side: source reject-with icmp-port-unreachable
SSH_ABL all -- anywhere anywhere recent: CHECK seconds: 60 hit_count: 5 name: SSH side: source
LOG all -- anywhere anywhere recent: CHECK seconds: 2 name: SSH side: source LOG level warning prefix `RATE: '
REJECT all -- anywhere anywhere recent: UPDATE seconds: 2 name: SSH side: source reject-with icmp-port-unreachable
LOG all -- anywhere anywhere recent: REMOVE name: SSH_ABL side: source LOG level warning prefix `ABL: -SSH: '
ACCEPT all -- anywhere anywhere recent: SET name: SSH side: source
Chain SSH_ABL (1 references)
target prot opt source destination
LOG all -- anywhere anywhere recent: SET name: SSH_ABL side: source LOG level warning prefix `ABL: +SSH: '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DAEMONS=(syslog-ng iptables network netfs crond alsa kdm sshd ddclient)
It's a very deadly weapon to know what you're doing
--- William Murderface
Offline
Umm, looking at my logs, it seems to be working. Can't explain why my tests failed, but I've been attacked a couple of times since, and they only got five attempts to login.
It's a very deadly weapon to know what you're doing
--- William Murderface
Offline
You should change the default policy to drop.
Offline