Hi, On Tue, Aug 19, 2008 at 21:23, MHR <mhullrich at gmail.com> wrote: >> Another approach is to create a subchain that just logs and drops (no match >> rules), and in your main chain you match on the desired packet and jump to >> the subchain. That eliminates the need to maintain the same match in two >> places, and reduces the number of rules a non-dropped packet has to pass >> through. > > Could you post a sample, using the OP's example as a base? Sure! # create a chain to log and drop iptables -N LOGANDDROP # in that chain, log and then drop any package that gets there iptables -A LOGANDDROP -j LOG --log-prefix 'SSH attack: ' iptables -A LOGANDDROP -j DROP # and in INPUT, send any SSH package with more # than 5 hits per minute to that chain iptables -A INPUT -p tcp --dport 22 -m state --state NEW \ -m recent --update --seconds 60 --hitcount 5 \ --rttl --name SSH -j LOGANDDROP The name LOGANDDROP could probably be improved... Maybe SSHATTACK would be more appropriate. HTH, Filipe