FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 07-31-2008, 05:17 PM
"Michael S. Peek"
 
Default Trying to understand iptables

Hello gurus,

I'm playing around with the SSH throttling examples from
debian-administration.org. I'm still a bit new to iptables, and I'm
trying to understand how this works.


I have the following two commands:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent
--set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 -j DROP


Which tells the kernel to allow 3 new ssh connections from a single
remote host, and after that the remote host is blocked by dropping the
packets. My question is, for how long is the remote host blocked?
Another 60 seconds?


Or to put it another way, how does iptables know how long to remember a
recent connection? And can I change that?


Michael


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-01-2008, 07:19 PM
"Jon Dowland"
 
Default Trying to understand iptables

>From the iptables man-page, zipping down to the section documenting
the "recent" module:

[!] --seconds seconds
This option must be used in conjunction with one of
--rcheck or --update. When
used, this will narrow the match to only happen when the
address is in the list
and was seen within the last given number of seconds.

and

[!] --set
This will add the source address of the packet to
the list. If the source
address is already in the list, this will update the
existing entry. This will
always return success (or failure if '!' is passed in).

What is slightly confusing is using -I (rather than -A) for the
examples. -I used in this way inserts the rule at the *head* of the
list. So, in this example, the second line is executed first, then the
first one. I presume this was done so that packets arriving once you
have entered the first command are not dropped until you've entered
the second line.

So

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 -j DROP

* if the packet is tcp and dest port 22 on iface eth0 and is a NEW connection
* if the source IP is in our recent table already
* if the entry was last seen 60 or less seconds ago, only (--seconds 60)
* if the entry has been seen at least 4 times already (--hitcount 4)
* update the recorded time of the last packet in the table to now
* drop this packet

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent
--set

At this point, we can assume the packet was *not* in the table above
with an entry fresher than 60 seconds or 4 hits. This just adds it to
the table, but lets the packet pass through.

2008/7/31 Michael S. Peek <peek@tiem.utk.edu>:
> Or to put it another way, how does iptables know how long to remember a
> recent connection? And can I change that?

That's what the '60' is after --seconds in the second command (first to execute)



--
Jon Dowland
http://jmtd.net/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 03:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org