Package: iptables
Version: 1.4.21-2+b1
Severity: important

On a server I have a script like this running at startup:

#!/bin/sh
iptables -F
iptables -X
iptables -N SSH

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j SSH
iptables -A SSH -m recent --set --name sshlist
iptables -A SSH -m recent --update --seconds 30 --hitcount 30 --name sshlist -j 
DROP

I test that the above works by doing this from an external machine:

for a in `seq 1 40`; do ssh mymachine echo $a; done

and I see the numbers 1 to 14, and then it stops.

So, it *seems* to work, but it does not:


* To be able to use a hitcount greater than 20, I created a file

/etc/modprobe.d/xt-recent.conf

containing this:

options xt_recent ip_list_tot=1000 ip_pkt_list_tot=200

I can check that this worked because of this:

# cat /sys/module/xt_recent/parameters/ip_list_tot
1000
# cat /sys/module/xt_recent/parameters/ip_pkt_list_tot
200

However, when I use --hitcount 30 and test from an external machine,
I see the numbers 1 to 19. Is there a simple explanation for that?

* Even worse: If I remove all the rules by doing this:

iptables -F
iptables -X

the for loop above still shows the numbers 1 to 19 and stops.

This is even more weird as before. Is there a simple explanation for that?

I'm not sure if this is a bug in iptables or in linux, please reassign as 
appropriate.

Thanks.


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to