Package: iptables Version: 1.4.21-2+b1 Severity: important On a server I have a script like this running at startup:
#!/bin/sh iptables -F iptables -X iptables -N SSH iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j SSH iptables -A SSH -m recent --set --name sshlist iptables -A SSH -m recent --update --seconds 30 --hitcount 30 --name sshlist -j DROP I test that the above works by doing this from an external machine: for a in `seq 1 40`; do ssh mymachine echo $a; done and I see the numbers 1 to 14, and then it stops. So, it *seems* to work, but it does not: * To be able to use a hitcount greater than 20, I created a file /etc/modprobe.d/xt-recent.conf containing this: options xt_recent ip_list_tot=1000 ip_pkt_list_tot=200 I can check that this worked because of this: # cat /sys/module/xt_recent/parameters/ip_list_tot 1000 # cat /sys/module/xt_recent/parameters/ip_pkt_list_tot 200 However, when I use --hitcount 30 and test from an external machine, I see the numbers 1 to 19. Is there a simple explanation for that? * Even worse: If I remove all the rules by doing this: iptables -F iptables -X the for loop above still shows the numbers 1 to 19 and stops. This is even more weird as before. Is there a simple explanation for that? I'm not sure if this is a bug in iptables or in linux, please reassign as appropriate. Thanks. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

