[CentOS] Simple IPTABLES Question

Wed Aug 20 02:52:47 UTC 2008
Filipe Brandenburger <filbranden at gmail.com>


On Tue, Aug 19, 2008 at 21:23, MHR <mhullrich at gmail.com> wrote:
>> Another approach is to create a subchain that just logs and drops (no match
>> rules), and in your main chain you match on the desired packet and jump to
>> the subchain. That eliminates the need to maintain the same match in two
>> places, and reduces the number of rules a non-dropped packet has to pass
>> through.
> Could you post a sample, using the OP's example as a base?


# create a chain to log and drop
iptables -N LOGANDDROP
# in that chain, log and then drop any package that gets there
iptables -A LOGANDDROP -j LOG --log-prefix 'SSH attack: '
iptables -A LOGANDDROP -j DROP
# and in INPUT, send any SSH package with more
# than 5 hits per minute to that chain
iptables -A INPUT -p tcp --dport 22 -m state --state NEW \
              -m recent --update --seconds 60 --hitcount 5 \
              --rttl --name SSH -j LOGANDDROP

The name LOGANDDROP could probably be improved... Maybe SSHATTACK
would be more appropriate.