On 2013-10-27 12:29:33 (-0700), Gordon Morehouse wrote:
>
>
>
> I've implemented these and I'd really love for anyone who's great at
>
>
> iptables to sanity-check my rules[1] because I am an iptables relative
>
>
> noob.
>
>
> 5: # TODO: don't know if fail2ban will override this if a host with
> established
>
> 6: # connections gets temp banned. We don't want it to. Need to find out.
>
>
It depends on the spot fail2ban inserts the new firewall rules. If it's before
the '--state ESTABLISHED' rule, then the ban will be enforced. Otherwise, the
kernel will let the packets through when they reach that rule.
> 12: iptables -A INPUT -p tcp -m multiport --dports 31923,31924 -m state
> --state NEW -j SYN_THROTTLE
>
> [...]
>
>
> 17: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j LOG
>
>
> 18: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j REJECT
>
>
You don't need '-m state --state NEW' in lines 17 and 18 because all packets in
that chain are already known to be new.I recommend to use always --log-prefix for easy future grepping. -- David Serrano GnuPG id: 280A01F9
signature.asc
Description: Digital signature
_______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
