[CentOS] Simple IPTABLES Question
Filipe Brandenburger
filbranden at gmail.comWed Aug 20 02:52:47 UTC 2008
- Previous message: [CentOS] Simple IPTABLES Question
- Next message: [CentOS] Simple IPTABLES Question
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi, On Tue, Aug 19, 2008 at 21:23, MHR <mhullrich at gmail.com> wrote: >> Another approach is to create a subchain that just logs and drops (no match >> rules), and in your main chain you match on the desired packet and jump to >> the subchain. That eliminates the need to maintain the same match in two >> places, and reduces the number of rules a non-dropped packet has to pass >> through. > > Could you post a sample, using the OP's example as a base? Sure! # create a chain to log and drop iptables -N LOGANDDROP # in that chain, log and then drop any package that gets there iptables -A LOGANDDROP -j LOG --log-prefix 'SSH attack: ' iptables -A LOGANDDROP -j DROP # and in INPUT, send any SSH package with more # than 5 hits per minute to that chain iptables -A INPUT -p tcp --dport 22 -m state --state NEW \ -m recent --update --seconds 60 --hitcount 5 \ --rttl --name SSH -j LOGANDDROP The name LOGANDDROP could probably be improved... Maybe SSHATTACK would be more appropriate. HTH, Filipe
- Previous message: [CentOS] Simple IPTABLES Question
- Next message: [CentOS] Simple IPTABLES Question
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list