On 07/25/2013 08:24 AM, Tiemen Ruiten wrote: > On 07/25/2013 04:44 PM, Tom Eastep wrote: >> On 07/25/2013 07:02 AM, Tiemen Ruiten wrote: >> I agree. Arch is currently at iptables 1.4.19.1, which doesn't have >> support for the --reap option. So what is the proper way to fix >> this/get this fixed?
Report a simple test case against iptables 1.4.19.1. '--reap' is valid
where '--seconds' is specified. For what it is worth, the 1.4.15 version
of libxt_recent.c is identical to the 1.4.19.1 version, so it is hard to
understand why the latter fails.
As to the dump output, here are the event contents:
SSH
src=91.213.195.220 : 3145.677, 3141.175, 3102.787, 3085.985,
3081.069, 3078.482, 885.206, 10.630, 7.493, 3.977
src=212.67.x.y : 305.844, 305.808, 303.253
According to the information at the top of the dump, the firewall was
reloaded 1556 seconds before the dump was started. Therefore, the first
6 connection events will not be reflected in the iptables rules counts.
They are still there because of your issue with '--reap'.
According to this chain, you need 5 hits in 120 seconds to trigger
blacklisting:
Chain %IfEvent (1 references)
pkts bytes target prot opt in out source
destination
0 0 SSH_BLACKLIST all -- * * 0.0.0.0/0
0.0.0.0/0 recent: CHECK seconds: 120 hit_count: 5 name: SSH
side: source mask: 255.255.255.255
Neither of the sets of connection events shown above will meet those
criteria (given that the first 6 packets aren't relevant).
According to this chain, you need two connection attempts within 3
seconds to trigger a reject:
Chain %IfEvent1 (1 references)
pkts bytes target prot opt in out source
destination
1 60 ~log0 all -- * * 0.0.0.0/0
0.0.0.0/0 [goto] recent: UPDATE seconds: 3 hit_count: 1 name:
SSH side: source mask: 255.255.255.255
That rule was triggered
Jul 25 17:01:41 SSH_LIMIT:Added:IN=eth0 OUT= SRC=212.67.x.y
DST=149.210.n.m LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=27027 DF PROTO=TCP
SPT=14225 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
So that attempt was rejected.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
