[CentOS] iptables question.

Tue Feb 22 00:17:19 UTC 2011
Stephen Harris <lists at spuddy.org>

On Mon, Feb 21, 2011 at 03:32:40PM -0800, Bill Campbell wrote:

> My problem is that occassionally an IP addresses doesn't appear to be
> blocked as we continue to see the e-mail messages after the blocks are in
> place.  Most frequently these occur from courier-imap failed login
> attempts, less frequently from sshd.
> To start, iptables is initialized by setting up a named rule set,
> say on eth0:
> # these two set up the rule set.
> iptables -N csblocks
> iptables -A csblocks -j RETURN
> # now add it to input, check csblocks on all new connections.
> iptables -i eth0 -m state --state NEW -j csblocks

> With all that incoming attempts still seem to get by for a few IP
> addresses, but certainly not all.
> Can anybody point out what I'm doing wrong, or why this may happen?

Connections that are already established may be blocked but traffic
will continue to flow because you're only blocking on "NEW" traffic.

<connection made>
login fail
login fail
login fail
<BLOCK HAPPENS - perhaps it's the 5th set of connections and it's just
  tripped the threshold>
login fail
login fail
login fail
<too many failed attempts, disconnected by server daemon>
<new connection blocked>

You'll see 3 login failures after the block occured because the connection
was still open.