-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 David Serrano: > On 2013-10-27 12:29:33 (-0700), Gordon Morehouse wrote: >> >> I've implemented these and I'd really love for anyone who's great >> at >> iptables to sanity-check my rules[1] because I am an iptables >> relative >> noob. >> > >> 5: # TODO: don't know if fail2ban will override this if a host >> with established >> 6: # connections gets temp banned. We don't want it to. Need to >> find out. >> > > It depends on the spot fail2ban inserts the new firewall rules. If > it's before > the '--state ESTABLISHED' rule, then the ban will be enforced. > Otherwise, the > kernel will let the packets through when they reach that rule.
Here's my 'iptables -L' output, on pastebin because it's a mess when formatted for email: http://pastebin.com/f1VZNeTF That's not a fresh boot, though, I did: 'iptables -F' 'service fail2ban reload' and then ran the iptables commands by hand, in order. >> 12: iptables -A INPUT -p tcp -m multiport --dports 31923,31924 -m >> state --state NEW -j SYN_THROTTLE >> [...] >> 17: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j LOG >> 18: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j >> REJECT >> > > You don't need '-m state --state NEW' in lines 17 and 18 because > all packets in that chain are already known to be new. Ah, right - thanks! That might save a few cycles, assuming iptables wouldn't optimize it out. Important for the Raspberry Pi! > I recommend to use always --log-prefix for easy future grepping. Another good idea, thanks again. I've committed these changes to the repo. Best, - -Gordon M. -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJSbYznAAoJED/jpRoe7/ujaicH/AzF3WcvrTIGKopEB/XLyStc IWEyhh7HD773RrbgpoZ9G2BCQUT5hyoMy8ezKxm9xEfbkZn5aDyA9Kv+kNGuHPYZ uWXbjCGfW7FPaj/Adje2rpAMl9azt9hiyPvY38dXvXnVrnHIK1rvCM4AuNqEwkLp Z94/BGKlY6b9ttKYU10NDGVb0hllIyZRXveTjpDaocMeokGEuhHAenAPeWcY04yf hgZdD5Mqm+3lofOEtJ38UaPu2LUS75bO2DpVRK7H0dByhMlyRM6gDb1SmfT57hy6 OR/qGvrl6gjDVEapmwTJTFVu1oGCCkntPbZpy8qTL1hlAFX3nnHMnKw1Am/PqtY= =5+Kw -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
