> I've searched around, but reading the above makes me think that it will > log *every* proper TCP connection (i.e. all that begin with a SYN). > Should I be using the --state flag, and if so, what attribute (NEW, > ESTABLISHED, INVALID, RELATED)???
I use this (numbers modified): -------------------------------------------------------------------- # Allow the local net to flood: I trust them -A syn-flood -s 192.168.100.0/24 -j RETURN # Keep the outsiders to a sane limit: tune this to fit as needed. -A syn-flood -m limit --limit 2/second --limit-burst 25 -j RETURN # You blew it. log-n-drop -A syn-flood -j LOG -A syn-flood -j DROP # Check all SYNs -A INPUT -p tcp -m tcp --syn -j syn-flood -------------------------------------------------------------------- However, mine is intentionally throttling both over-eager users and floods, so, you may want to tweak. -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
