[CentOS] iptables question.
Bill Campbell
centos at celestial.com
Tue Feb 22 00:25:41 UTC 2011
On Mon, Feb 21, 2011, Stephen Harris wrote:
>On Mon, Feb 21, 2011 at 03:32:40PM -0800, Bill Campbell wrote:
>
>> My problem is that occassionally an IP addresses doesn't appear to be
>> blocked as we continue to see the e-mail messages after the blocks are in
>> place. Most frequently these occur from courier-imap failed login
>> attempts, less frequently from sshd.
>>
>> To start, iptables is initialized by setting up a named rule set,
>> say on eth0:
>>
>> # these two set up the rule set.
>> iptables -N csblocks
>> iptables -A csblocks -j RETURN
>>
>> # now add it to input, check csblocks on all new connections.
>> iptables -i eth0 -m state --state NEW -j csblocks
>
>> With all that incoming attempts still seem to get by for a few IP
>> addresses, but certainly not all.
>>
>> Can anybody point out what I'm doing wrong, or why this may happen?
>
>Connections that are already established may be blocked but traffic
>will continue to flow because you're only blocking on "NEW" traffic.
>
>eg
><connection made>
>login fail
>login fail
>login fail
><BLOCK HAPPENS - perhaps it's the 5th set of connections and it's just
> tripped the threshold>
>login fail
>login fail
>login fail
><too many failed attempts, disconnected by server daemon>
><new connection blocked>
>
>You'll see 3 login failures after the block occured because the connection
>was still open.
That makes sense, and was one of the first things I thought of.
On the other hand "lsof -n -i" doesn't show any open connections
to the IP address, and I would think that the forwarding and null
route would prevent that.
Bill
--
INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792
Historically, inflation is a classic game of legal plunder, more
effective than taxes since the legalized theft is concealed.
-- T. Hunt Tooley http://mises.org/story/3292
More information about the CentOS
mailing list