James B. Byrne byrnejb@... writes:
Would someone please explain to me the difference in effect between
the following two IPTABLES conditions and the significance thereof in
concurrent connection limiting?
--tcp-flags SYN,ACK,FIN,RST SYN -j REJECT \
--connlimit-above 3 --connlimit-mask
+1
On Tue, Jun 17, 2014 at 9:41 AM, James B. Byrne byrn...@harte-lyne.ca
wrote:
On Mon, June 16, 2014 23:34, Chuck Campbell wrote:
I appreciate you restating this. I'll try to go make sense of iptables,
given
the insight,
Keep in mind that there are three default chains, INPUT,
On Mon, June 16, 2014 23:34, Chuck Campbell wrote:
I appreciate you restating this. I'll try to go make sense of iptables, given
the insight,
Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD
that are used to initiate the packet path through IPTABLES and that they
On 06/17/2014 10:41 AM, James B. Byrne wrote:
On Mon, June 16, 2014 23:34, Chuck Campbell wrote:
I appreciate you restating this. I'll try to go make sense of iptables, given
the insight,
Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD
that are used to initiate
On 6/16/2014 11:08 PM, John R Pierce wrote:
On 6/16/2014 8:52 PM, Chuck Campbell wrote:
I ran a script after fail2ban was started. It looks like this:
#!/bin/sh
iptables -A INPUT -s 116.10.191.0/24 -j DROP
iptables -A INPUT -s 183.136.220.0/24 -j DROP
iptables -A INPUT -s 183.136.221.0/24 -j
On 6/17/2014 2:14 PM, Chuck Campbell wrote:
I'll experiment with that when I am physically in front of the
server, instead of remote from it. I would have had no quick remedy if I
messed
it up.
thats why all my servers have remote consoles :)
--
john r pierce
On 6/16/2014 15:58, Chuck Campbell wrote:
If they keep going through this ip block, they will still get 255 attempts at
the root password and 1020 attempts at other login/password combinations
before
they are blocked by fail2ban.
I'm glad you got your firewall problem sorted out, but I can't
On 6/17/2014 6:39 PM, Warren Young wrote:
On 6/16/2014 15:58, Chuck Campbell wrote:
If they keep going through this ip block, they will still get 255 attempts at
the root password and 1020 attempts at other login/password combinations
before
they are blocked by fail2ban.
I'm glad you got
On 6/17/2014 19:35, Chuck Campbell wrote:
I haven't done the load stats, but it appears
to me that a hundred of these crackers hitting my machine at these rates is
likely to deny my legit users some resources.
So increase the fail2ban time from the default (5 minutes, as I recall)
to 1 hour,
On Mon, 2014-06-16 at 16:58 -0500, Chuck Campbell wrote:
I'm running fail2ban to attempt to block malicious brute-force password
dictionary attacks against ssh.
You could:-
(1) Change the SSHD port to something obscure.
(2) Restrict access to the SSHD port, using iptables, to a group of
On Mon, 16 Jun 2014 16:58:18 -0500
Chuck Campbell wrote:
Why is this ip range still able to attempt connections? Have I done something
wrong with my address ranges, or added them in the wrong place?
Have you considered taking the opposite approach and allowing only the IP
addresses that you
On 6/16/2014 2:58 PM, Chuck Campbell wrote:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-VSFTPD tcp -- anywhere anywheretcp dpt:ftp
fail2ban-SSH tcp -- anywhere anywheretcp dpt:ssh
On 06/17/2014 01:11 AM, John R Pierce wrote:
On 6/16/2014 2:58 PM, Chuck Campbell wrote:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-VSFTPD tcp -- anywhere anywheretcp
dpt:ftp
fail2ban-SSH tcp -- anywhere
On 06/17/2014 01:46 AM, Bret Taylor wrote:
Get rid of fail2ban, it's not needed. Just write a proper firewall.
Are you series??
There are applications that fail2ban offers them things which others
just can't..
If you can email me the ip for your servers and also the root password
and allow me
[previous article hasn't appeared on gmane yet]
On 2014-06-16, Eliezer Croitoru elie...@ngtech.co.il wrote:
On 06/17/2014 01:46 AM, Bret Taylor wrote:
Get rid of fail2ban, it's not needed. Just write a proper firewall.
Are you series??
There are applications that fail2ban offers them things
All of the suggestions are graciously accepted, however, I was actually asking
what I was doing wrong with iptables, and why, with the rules I put in place,
someone was still able to connect to my machine.
I understand there might be better ways, but if I don't understand what I did
wrong last
On Mon, 2014-06-16 at 21:42 -0500, Chuck Campbell wrote:
All of the suggestions are graciously accepted, however, I was actually
asking
what I was doing wrong with iptables, and why, with the rules I put in place,
someone was still able to connect to my machine.
I understand there might
On 6/16/2014 9:44 PM, Earl Ramirez wrote:
On Mon, 2014-06-16 at 21:42 -0500, Chuck Campbell wrote:
All of the suggestions are graciously accepted, however, I was actually
asking
what I was doing wrong with iptables, and why, with the rules I put in place,
someone was still able to connect to
As John R Pierce mentioned one of your first rule in the chain is
RH-Firewall-1-INPUT all -- anywhere anywhere, this
simply mean everything with DROP after it will be ignored. iptables
will work its way down the chain, therefore you have to options
1. remove that line or
2.
On 6/16/2014 8:52 PM, Chuck Campbell wrote:
I ran a script after fail2ban was started. It looks like this:
#!/bin/sh
iptables -A INPUT -s 116.10.191.0/24 -j DROP
iptables -A INPUT -s 183.136.220.0/24 -j DROP
iptables -A INPUT -s 183.136.221.0/24 -j DROP
iptables -A INPUT -s 183.136.222.0/24
On Mon, Feb 21, 2011, Stephen Harris wrote:
On Mon, Feb 21, 2011 at 03:32:40PM -0800, Bill Campbell wrote:
My problem is that occassionally an IP addresses doesn't appear to be
blocked as we continue to see the e-mail messages after the blocks are in
place. Most frequently these occur from
Kai Schaetzl wrote:
Bowie Bailey wrote on Mon, 19 Oct 2009 17:18:16 -0400:
The destination address is the private IP of the server. These
seem to be related to outgoing email connections based on the source
IPs
Is 195.140.240.6 the public IP of that machine? Why do you obfuscate
conversation. The question is: why are all of these remote servers
trying to make connections back to me on high-numbered ports? Should I
be allowing these connections somehow?
The remote server probably thinks that it's still supposed to be
making connections back to you -- a couple of the
Meenoo Shivdasani wrote:
conversation. The question is: why are all of these remote servers
trying to make connections back to me on high-numbered ports? Should I
be allowing these connections somehow?
The remote server probably thinks that it's still supposed to be
making
Meenoo Shivdasani wrote:
But these aren't SMTP connections. The source is port 25, but the
destination is not. The mail server is running normally. I'm allowing
new SMTP connections and traffic for established connections.
They are SMTP connections -- your server initiates a
Bowie Bailey wrote on Mon, 19 Oct 2009 17:18:16 -0400:
The destination address is the private IP of the server. These
seem to be related to outgoing email connections based on the source
IPs
Is 195.140.240.6 the public IP of that machine? Why do you obfuscate a
private IP number? Do you
On Monday 19 October 2009 17:18, Bowie Bailey wrote:
The logs on my mail server are filling up with this kind of thing:
Oct 19 17:03:51 bnofmail kernel: REJECT: IN=eth0 OUT=
MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=195.140.240.6
DST=XX.XX.XX.XX LEN=189 TOS=0x00 PREC=0x00 TTL=52
in
case.
-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Dan Carl
Sent: Friday, February 20, 2009 10:24 AM
To: CentOS mailing list
Subject: Re: [CentOS] iptables question
Try this tutorial its long but thorough .
http://iptables
ward.p.fonte...@wellsfargo.com wrote:
I've added the following and it still isn't working
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 8443 -j DNAT
--to-destination 192.168.0.2:8443
iptables -A FORWARD -d 192.168.0.1 -p tcp -m tcp --dport 8443 -j ACCEPT
I've enabled forwarding -
Filipe Brandenburger wrote:
Hi Ward,
On Thu, Feb 19, 2009 at 20:27, ward.p.fonte...@wellsfargo.com wrote:
I add that and telnet to the port on BOX A and get
Trying 192.168.0.1...
telnet: connect to address 192.168.0.1: Connection refused
I can telnet to that port on BOX B and get a
ward.p.fonte...@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on BOX
A to BOX B (192.168.0.2:8080) and I'm about to pull my hair
On Thu, 2009-02-19 at 18:46 -0600, ward.p.fonte...@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on BOX
A to BOX B
On Thu, 19 Feb 2009 ward.p.fonte...@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on BOX
A to BOX B (192.168.0.2:8080) and I'm
] On
Behalf Of Barry Brimer
Sent: Thursday, February 19, 2009 5:38 PM
To: CentOS mailing list
Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 ward.p.fonte...@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips
On Thu, Feb 19, 2009 at 7:46 PM, ward.p.fonte...@wellsfargo.com wrote:
I need to redirect input from one of the vips (192.168.0.1:8080) on BOX
A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out.
While i haven't done this before, i believe the answer you're looking for
lies in
mailing list
Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 ward.p.fonte...@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080
Brimer
Sent: Thursday, February 19, 2009 6:22 PM
To: CentOS mailing list
Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 ward.p.fonte...@wellsfargo.com wrote:
I add that and telnet to the port on BOX A and get
Trying 192.168.0.1...
telnet: connect to address 192.168.0.1
-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Barry Brimer
Sent: Thursday, February 19, 2009 5:38 PM
To: CentOS mailing list
Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 ward.p.fonte...@wellsfargo.com
Makes sense to me.
Is the host that you are wanting to bypass your proxy on the same segment as
the $LAN interface defined in your rulesets?
On Wed, Dec 10, 2008 at 1:22 PM, Joseph L. Casale [EMAIL PROTECTED]
wrote:
I have a squid proxy running transparently, so in my firewall script
I run
Makes sense to me.
Yea, I just don't know technically speaking where the -m mac should appear, in
the POSTROUTING line, or the first FORWARD line. Ultimately I would only
masq'ing to be done for this one device on port 443.
Is the host that you are wanting to bypass your proxy on the same
On 28 Aug 2008, at 15:22, Joseph L. Casale wrote:
I tried writing out a FWBuilder script but man that thing was
something messy to look at, geesh...
Since you mentioned a FWBuilder script you might want to look at
FireHOL as well (http://firehol.sourceforge.net/). I've been using it
for
On Wednesday 27 August 2008 19:27, Joseph L. Casale wrote:
http://iptables.rlworkman.net/chunkyhtml/index.html
Nice doc, any ideas on how to print it (or many chapters easily) so I can
haul with me on my plane ride this weekend?
Nope, but I'm open to suggestions. :)
--
Regards
Robert
Nope, but I'm open to suggestions. :)
Scott provided a PDF a link to a non chunky html version that worked!
I have it printed on my desk right now! That will make for some good dry reading
on my plane ride Saturday. IPTables is something for me that has a few to many
core
holes and I need to
Joseph L. Casale wrote:
When do you know you need the -m multiport option? I see examples with -dport
xx:xxx for example that sometimes use it and sometimes don't?
I have read the man page and see what -m multiport requires, but don't see
the requirement involving its use.
Thanks!
jlc
I'll
My understanding is that --dport can only specify a single port (--dport
80) or port range (--dport 137:139) inclusive. Use of the multiport
module allows up to 15 ports (or port ranges) to be specified.
Ned,
So to write --dport 5060,1:6 you need to write:
-m multiport -p udp -dport
Joseph L. Casale wrote:
My understanding is that --dport can only specify a single port (--dport
80) or port range (--dport 137:139) inclusive. Use of the multiport
module allows up to 15 ports (or port ranges) to be specified.
Ned,
So to write --dport 5060,1:6 you need to write:
-m
On Thu, 2007-09-20 at 14:55 -0400, Ray Leventhal wrote:
Hi all,
With SELinux in permissive mode and iptables running, I'm unable to
retrieve directory listings with ftp.
stop iptables, and all appears again. This seems to be unrelated to
passive/port modes for ftp client.
Depending how
Fabian Arrotin wrote:
On Thu, 2007-09-20 at 14:55 -0400, Ray Leventhal wrote:
Hi all,
With SELinux in permissive mode and iptables running, I'm unable to
retrieve directory listings with ftp.
stop iptables, and all appears again. This seems to be unrelated to
passive/port modes for
Dear Salam,
Try to add following enteries in table.
/sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
Then use iptables -L command to
Something along these lines should do the job for ya.
iptables -A INPUT -s 0.0.0.0/0 -d x.x.x.x/32 -m hashlimit --hashlimit
200 --hashlimit-mode dstip -j LOG
iptables -A INPUT -s 0.0.0.0/0 -d x.x.x.x/32 -j DROP
Dig around on this site for more details.
I believe that iptables is different than freebsd's ipfw.
I don't think the rules would be expressed the same way.
Am I wrong?
-chaz
Charles L. Sliger, Information Systems Engineer
[EMAIL PROTECTED] {Yahoo: chaz_sliger} {Google: chaz.sliger}
-Original Message-
From: [EMAIL
51 matches
Mail list logo