James B. Byrne writes:
>
> Would someone please explain to me the difference in effect between
> the following two IPTABLES conditions and the significance thereof in
> concurrent connection limiting?
>
> --tcp-flags SYN,ACK,FIN,RST SYN -j REJECT \
> --connlimit-above 3 --connlimit-mask 32
>
Would someone please explain to me the difference in effect between
the following two IPTABLES conditions and the significance thereof in
concurrent connection limiting?
--tcp-flags SYN,ACK,FIN,RST SYN -j REJECT \
--connlimit-above 3 --connlimit-mask 32
--state NEW -j REJECT \
--connlimit-a
+1
On Tue, Jun 17, 2014 at 9:41 AM, James B. Byrne
wrote:
>
> On Mon, June 16, 2014 23:34, Chuck Campbell wrote:
>
> > I appreciate you restating this. I'll try to go make sense of iptables,
> given
> > the insight,
> >
>
> Keep in mind that there are three default chains, INPUT, OUTPUT and F
On 6/17/2014 19:35, Chuck Campbell wrote:
> I haven't done the load stats, but it appears
> to me that a hundred of these crackers hitting my machine at these rates is
> likely to deny my legit users some resources.
So increase the fail2ban time from the default (5 minutes, as I recall)
to 1 hour
On 6/17/2014 6:39 PM, Warren Young wrote:
> On 6/16/2014 15:58, Chuck Campbell wrote:
>> If they keep going through this ip block, they will still get 255 attempts at
>> the root password and 1020 attempts at other login/password combinations
>> before
>> they are blocked by fail2ban.
> I'm glad y
On 6/16/2014 15:58, Chuck Campbell wrote:
> If they keep going through this ip block, they will still get 255 attempts at
> the root password and 1020 attempts at other login/password combinations
> before
> they are blocked by fail2ban.
I'm glad you got your firewall problem sorted out, but I ca
On 6/17/2014 2:14 PM, Chuck Campbell wrote:
> I'll experiment with that when I am physically in front of the
> server, instead of remote from it. I would have had no quick remedy if I
> messed
> it up.
thats why all my servers have remote consoles :)
--
john r pierce
On 6/16/2014 11:08 PM, John R Pierce wrote:
> On 6/16/2014 8:52 PM, Chuck Campbell wrote:
>> I ran a script after fail2ban was started. It looks like this:
>> #!/bin/sh
>> iptables -A INPUT -s 116.10.191.0/24 -j DROP
>> iptables -A INPUT -s 183.136.220.0/24 -j DROP
>> iptables -A INPUT -s 183.136.2
On 06/17/2014 10:41 AM, James B. Byrne wrote:
> On Mon, June 16, 2014 23:34, Chuck Campbell wrote:
>
>> I appreciate you restating this. I'll try to go make sense of iptables, given
>> the insight,
>>
> Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD
> that are used to i
On Mon, June 16, 2014 23:34, Chuck Campbell wrote:
> I appreciate you restating this. I'll try to go make sense of iptables, given
> the insight,
>
Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD
that are used to initiate the packet path through IPTABLES and that they
On 6/16/2014 8:52 PM, Chuck Campbell wrote:
> I ran a script after fail2ban was started. It looks like this:
> #!/bin/sh
> iptables -A INPUT -s 116.10.191.0/24 -j DROP
> iptables -A INPUT -s 183.136.220.0/24 -j DROP
> iptables -A INPUT -s 183.136.221.0/24 -j DROP
> iptables -A INPUT -s 183.136.222.
>>>
>>>
>> As John R Pierce mentioned one of your first rule in the chain is
>> "RH-Firewall-1-INPUT all -- anywhere anywhere", this
>> simply mean everything with "DROP" after it will be ignored. iptables
>> will work its way down the chain, therefore you have to options
>> 1. remo
On 6/16/2014 9:44 PM, Earl Ramirez wrote:
> On Mon, 2014-06-16 at 21:42 -0500, Chuck Campbell wrote:
>> All of the suggestions are graciously accepted, however, I was actually
>> asking
>> what I was doing wrong with iptables, and why, with the rules I put in place,
>> someone was still able to co
On Mon, 2014-06-16 at 21:42 -0500, Chuck Campbell wrote:
> All of the suggestions are graciously accepted, however, I was actually
> asking
> what I was doing wrong with iptables, and why, with the rules I put in place,
> someone was still able to connect to my machine.
>
> I understand there m
All of the suggestions are graciously accepted, however, I was actually asking
what I was doing wrong with iptables, and why, with the rules I put in place,
someone was still able to connect to my machine.
I understand there might be better ways, but if I don't understand what I did
wrong last
[previous article hasn't appeared on gmane yet]
On 2014-06-16, Eliezer Croitoru wrote:
> On 06/17/2014 01:46 AM, Bret Taylor wrote:
>> Get rid of fail2ban, it's not needed. Just write a proper firewall.
> Are you series??
> There are applications that fail2ban offers them things which others
> j
On 06/17/2014 01:46 AM, Bret Taylor wrote:
> Get rid of fail2ban, it's not needed. Just write a proper firewall.
Are you series??
There are applications that fail2ban offers them things which others
just can't..
If you can email me the ip for your servers and also the root password
and allow me
On 06/17/2014 01:11 AM, John R Pierce wrote:
> On 6/16/2014 2:58 PM, Chuck Campbell wrote:
>> >Chain INPUT (policy ACCEPT)
>> >target prot opt source destination
>> >fail2ban-VSFTPD tcp -- anywhere anywheretcp
>> >dpt:ftp
>> >fail2ban-SSH tcp -- anyw
On 6/16/2014 2:58 PM, Chuck Campbell wrote:
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> fail2ban-VSFTPD tcp -- anywhere anywheretcp dpt:ftp
> fail2ban-SSH tcp -- anywhere anywheretcp dpt:ssh
> RH-Firewa
On Mon, 16 Jun 2014 16:58:18 -0500
Chuck Campbell wrote:
> Why is this ip range still able to attempt connections? Have I done something
> wrong with my address ranges, or added them in the wrong place?
Have you considered taking the opposite approach and allowing only the IP
addresses that you
On Mon, 2014-06-16 at 16:58 -0500, Chuck Campbell wrote:
> I'm running fail2ban to attempt to block malicious brute-force password
> dictionary attacks against ssh.
You could:-
(1) Change the SSHD port to something obscure.
(2) Restrict access to the SSHD port, using iptables, to a group of
ap
I'm running fail2ban to attempt to block malicious brute-force password
dictionary attacks against ssh. They seem to be rolling through a block of ip
addresses as the source to defeat this kind of screening, so I've set some ip
addresses to be blocked in iptables. Here is the output of iptables -L
On Mon, Feb 21, 2011, Stephen Harris wrote:
>On Mon, Feb 21, 2011 at 03:32:40PM -0800, Bill Campbell wrote:
>
>> My problem is that occassionally an IP addresses doesn't appear to be
>> blocked as we continue to see the e-mail messages after the blocks are in
>> place. Most frequently these occur
On Mon, Feb 21, 2011 at 03:32:40PM -0800, Bill Campbell wrote:
> My problem is that occassionally an IP addresses doesn't appear to be
> blocked as we continue to see the e-mail messages after the blocks are in
> place. Most frequently these occur from courier-imap failed login
> attempts, less f
We use a home-brew system similar to fail2ban to block traffic from IP
addresses which appear to be doing Nasty Things(tm). The main thing our
system does that fail2ban doesn't is to use a central DNSRBL we maintain
allowing it to immedatiately ban listed IP addresses the first time they
make an a
Meenoo Shivdasani wrote:
>> But these aren't SMTP connections. The source is port 25, but the
>> destination is not. The mail server is running normally. I'm allowing
>> new SMTP connections and traffic for established connections.
>>
>
> They are SMTP connections -- your server initiates a
> But these aren't SMTP connections. The source is port 25, but the
> destination is not. The mail server is running normally. I'm allowing
> new SMTP connections and traffic for established connections.
They are SMTP connections -- your server initiates a connection to
port 25 on the remote se
Meenoo Shivdasani wrote:
>> conversation. The question is: why are all of these remote servers
>> trying to make connections back to me on high-numbered ports? Should I
>> be allowing these connections somehow?
>>
>
> The remote server probably thinks that it's still supposed to be
> making
> conversation. The question is: why are all of these remote servers
> trying to make connections back to me on high-numbered ports? Should I
> be allowing these connections somehow?
The remote server probably thinks that it's still supposed to be
making connections back to you -- a couple of t
Kai Schaetzl wrote:
> Bowie Bailey wrote on Mon, 19 Oct 2009 17:18:16 -0400:
>
>
>> The destination address is the private IP of the server. These
>> seem to be related to outgoing email connections based on the source
>> IPs
>>
>
> Is 195.140.240.6 the public IP of that machine? Why do yo
On Monday 19 October 2009 17:18, Bowie Bailey wrote:
> The logs on my mail server are filling up with this kind of thing:
>
> Oct 19 17:03:51 bnofmail kernel: REJECT: IN=eth0 OUT=
> MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=195.140.240.6
> DST=XX.XX.XX.XX LEN=189 TOS=0x00 PREC=0x00 TTL
Bowie Bailey wrote on Mon, 19 Oct 2009 17:18:16 -0400:
> The destination address is the private IP of the server. These
> seem to be related to outgoing email connections based on the source
> IPs
Is 195.140.240.6 the public IP of that machine? Why do you obfuscate a
private IP number? Do you w
The logs on my mail server are filling up with this kind of thing:
Oct 19 17:03:51 bnofmail kernel: REJECT: IN=eth0 OUT=
MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=195.140.240.6
DST=XX.XX.XX.XX LEN=189 TOS=0x00 PREC=0x00 TTL=52 ID=6284 DF PROTO=TCP
SPT=25 DPT=32776 WINDOW=65535 RES=0x00 ACK
Filipe Brandenburger wrote:
> Hi Ward,
>
> On Thu, Feb 19, 2009 at 20:27, wrote:
>> I add that and telnet to the port on BOX A and get
>> Trying 192.168.0.1...
>> telnet: connect to address 192.168.0.1: Connection refused
>> I can telnet to that port on BOX B and get a successful connection.
>
Hi Ward,
On Thu, Feb 19, 2009 at 20:27, wrote:
> I add that and telnet to the port on BOX A and get
> Trying 192.168.0.1...
> telnet: connect to address 192.168.0.1: Connection refused
> I can telnet to that port on BOX B and get a successful connection.
The problem is that when BOX B responds,
ward.p.fonte...@wellsfargo.com wrote:
> I've added the following and it still isn't working
>
> iptables -t nat -I PREROUTING -p tcp -m tcp --dport 8443 -j DNAT
> --to-destination 192.168.0.2:8443
> iptables -A FORWARD -d 192.168.0.1 -p tcp -m tcp --dport 8443 -j ACCEPT
>
> I've enabled forwardin
t it's there just in
case.
-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Dan Carl
Sent: Friday, February 20, 2009 10:24 AM
To: CentOS mailing list
Subject: Re: [CentOS] iptables question
Try this tutorial its long but t
ward.p.fonte...@wellsfargo.com wrote:
> Hi,
>
> I have two servers in the same subnet, one has this arrangement:
>
> BOX A [3 ips, one real two vips]
>
> BOX B [1 ip]
>
> I need to redirect input from one of the vips (192.168.0.1:8080) on BOX
> A to BOX B (192.168.0.2:8080) and I'm about to pull my
> > -Original Message-
> > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> > Behalf Of Barry Brimer
> > Sent: Thursday, February 19, 2009 5:38 PM
> > To: CentOS mailing list
> > Subject: Re: [CentOS] iptables question
> >
&g
f Of Barry Brimer
Sent: Thursday, February 19, 2009 6:22 PM
To: CentOS mailing list
Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 ward.p.fonte...@wellsfargo.com wrote:
> I add that and telnet to the port on BOX A and get
>
> Trying 192.168.0.1...
> telnet: connect
February 19, 2009 5:38 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] iptables question
>
>
>
> On Thu, 19 Feb 2009 ward.p.fonte...@wellsfargo.com wrote:
>
>> Hi,
>>
>> I have two servers in the same subnet, one has this arrangement:
>>
>> BOX A
On Thu, Feb 19, 2009 at 7:46 PM, wrote:
> I need to redirect input from one of the vips (192.168.0.1:8080) on BOX
> A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out.
While i haven't done this before, i believe the answer you're looking for
lies in SNAT. It would seem the requirem
] On
Behalf Of Barry Brimer
Sent: Thursday, February 19, 2009 5:38 PM
To: CentOS mailing list
Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 ward.p.fonte...@wellsfargo.com wrote:
> Hi,
>
> I have two servers in the same subnet, one has this arrangement:
>
> BOX A [3 ip
On Thu, 19 Feb 2009 ward.p.fonte...@wellsfargo.com wrote:
> Hi,
>
> I have two servers in the same subnet, one has this arrangement:
>
> BOX A [3 ips, one real two vips]
>
> BOX B [1 ip]
>
> I need to redirect input from one of the vips (192.168.0.1:8080) on BOX
> A to BOX B (192.168.0.2:8080) a
On Thu, 2009-02-19 at 18:46 -0600, ward.p.fonte...@wellsfargo.com wrote:
> Hi,
>
> I have two servers in the same subnet, one has this arrangement:
>
> BOX A [3 ips, one real two vips]
>
> BOX B [1 ip]
>
> I need to redirect input from one of the vips (192.168.0.1:8080) on BOX
> A to BOX B (192
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on BOX
A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out. Can
anyone lend a hand? All my searching le
>Makes sense to me.
Yea, I just don't know technically speaking where the -m mac should appear, in
the POSTROUTING line, or the first FORWARD line. Ultimately I would only
masq'ing to be done for this one device on port 443.
>Is the host that you are wanting to bypass your proxy on the same segm
Makes sense to me.
Is the host that you are wanting to bypass your proxy on the same segment as
the $LAN interface defined in your rulesets?
On Wed, Dec 10, 2008 at 1:22 PM, Joseph L. Casale <[EMAIL PROTECTED]
> wrote:
> I have a squid proxy running transparently, so in my firewall script
> I ru
I have a squid proxy running transparently, so in my firewall script
I run the following fairly early:
iptables -A PREROUTING -t nat -i $LAN -p tcp -m multiport --dports 80,443 -j
REDIRECT --to-port 3128
This is a multihomed server so after this change the masquerading was
removed (as only web a
On 28 Aug 2008, at 15:22, Joseph L. Casale wrote:
I tried writing out a FWBuilder script but man that thing was
something messy to look at, geesh...
Since you mentioned a FWBuilder script you might want to look at
FireHOL as well (http://firehol.sourceforge.net/). I've been using it
for
>Nope, but I'm open to suggestions. :)
Scott provided a PDF a link to a non chunky html version that worked!
I have it printed on my desk right now! That will make for some good dry reading
on my plane ride Saturday. IPTables is something for me that has a few to many
core
holes and I need to dev
On Wednesday 27 August 2008 19:27, Joseph L. Casale wrote:
> >http://iptables.rlworkman.net/chunkyhtml/index.html
>
> Nice doc, any ideas on how to print it (or many chapters easily) so I can
> haul with me on my plane ride this weekend?
Nope, but I'm open to suggestions. :)
--
Regards
Rob
>http://iptables.rlworkman.net/chunkyhtml/index.html
Nice doc, any ideas on how to print it (or many chapters easily) so I can
haul with me on my plane ride this weekend?
Thanks!
jlc
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mail
On Tuesday 26 August 2008 16:17, Ned Slider wrote:
> Joseph L. Casale wrote:
> >> My understanding is that --dport can only specify a single port
> >> (--dport 80) or port range (--dport 137:139) inclusive. Use of the
> >> multiport module allows up to 15 ports (or port ranges) to be
> >> spe
Joseph L. Casale wrote:
My understanding is that --dport can only specify a single port (--dport
80) or port range (--dport 137:139) inclusive. Use of the multiport
module allows up to 15 ports (or port ranges) to be specified.
Ned,
So to write --dport 5060,1:6 you need to write:
-m mul
>My understanding is that --dport can only specify a single port (--dport
>80) or port range (--dport 137:139) inclusive. Use of the multiport
>module allows up to 15 ports (or port ranges) to be specified.
Ned,
So to write --dport 5060,1:6 you need to write:
-m multiport -p udp -dport 506
Joseph L. Casale wrote:
When do you know you need the "-m multiport" option? I see examples with -dport
xx:xxx for example that sometimes use it and sometimes don't?
I have read the man page and see what "-m multiport" requires, but don't see
the requirement involving its use.
Thanks!
jlc
I'
When do you know you need the "-m multiport" option? I see examples with -dport
xx:xxx for example that sometimes use it and sometimes don't?
I have read the man page and see what "-m multiport" requires, but don't see
the requirement involving its use.
Thanks!
jlc
__
Dear Salam,
Try to add following enteries in table.
/sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
Then use iptables -L command to show
Fabian Arrotin wrote:
> On Thu, 2007-09-20 at 14:55 -0400, Ray Leventhal wrote:
>
>> Hi all,
>>
>> With SELinux in permissive mode and iptables running, I'm unable to
>> retrieve directory listings with ftp.
>>
>> stop iptables, and all appears again. This seems to be unrelated to
>> passive/po
On Thu, 2007-09-20 at 14:55 -0400, Ray Leventhal wrote:
> Hi all,
>
> With SELinux in permissive mode and iptables running, I'm unable to
> retrieve directory listings with ftp.
>
> stop iptables, and all appears again. This seems to be unrelated to
> passive/port modes for ftp client.
Dependin
Hi all,
With SELinux in permissive mode and iptables running, I'm unable to
retrieve directory listings with ftp.
stop iptables, and all appears again. This seems to be unrelated to
passive/port modes for ftp client.
If this is off topic, please let me know offlist and I'll take my
question els
tream Inc.
> Sent: Wednesday, June 20, 2007 9:52 AM
> To: CentOS mailing list
> Subject: RE: [CentOS] iptables question
>
> They certainly are different... But if he wanted that feature in
> iptables he could use the rule I specified. I was under the impression
> he was looking to
PROTECTED] On
Behalf Of Charles Sliger
Sent: Wednesday, June 20, 2007 12:48 PM
To: 'CentOS mailing list'
Subject: RE: [CentOS] iptables question
I believe that iptables is different than freebsd's ipfw.
I don't think the rules would be expressed the same way.
Am I wrong?
-ch
gt; From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of ann kok
> Sent: Wednesday, June 20, 2007 7:46 AM
> To: centos@centos.org
> Subject: [CentOS] iptables question
>
> Hi all
>
> Can iptables have log and deny rule together?
> if no. how can I make a deny rul
/iptables-tutorial.html
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of ann kok
Sent: Wednesday, June 20, 2007 10:46 AM
To: centos@centos.org
Subject: [CentOS] iptables question
Hi all
Can iptables have log and deny rule together?
if no. how can I make a
Hi all
Can iptables have log and deny rule together?
if no. how can I make a deny rule and log rule
and the log rule can limit the log entry eg: 200
if yes, how can I make it
I am using freebsd ipfw.
eg: ipfw add 22 deny log all from any to x.x.x.x
thank you
__
67 matches
Mail list logo
