Re: [Shorewall-users] Error Parsing SSHKnock with Shorewall Per

Mon, 27 Aug 2007 15:14:47 -0700 

Mike Lander wrote:
> <snip> from /var/lib/shorewall/.iptables-restore-input file
> line 131 is '--name SSH          -j ACCEPT' below
> 
> 
> 
> -A Reject -p 6 -m multiport --dports 135,139,445 -j reject
> -A Reject -p 17 --dport 1900 -j DROP
> -A Reject -p 6 -j dropNotSyn
> -A Reject -p 17 --sport 53 -j DROP
> -A SSHKnock -p tcp --dport 22   -m recent --rcheck --seconds 60
> --name SSH          -j ACCEPT
> -A SSHKnock -p tcp --dport 1599 -m recent
> --name SSH --remove -j DROP
> -A SSHKnock -p tcp --dport 1600 -m recent
> --name SSH --set    -j DROP
> -A SSHKnock -p tcp --dport 1601 -m recent
> 

You have extra newline characters in your source. Each '-A' command should
be on a single line. Attached is the correct /etc/shorewall/SSHKnock

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

use Shorewall::Chains;

if ( $level ) {
    log_rule_limit( $level, 
                    $chainref, 
                    'SSHKnock',
                    'ACCEPT',
                    '',
                    $tag,
                    'add',
                    '-p tcp --dport 22   -m recent --rcheck --name SSH' );

    log_rule_limit( $level,
                    $chainref,
                    'SSHKnock',
                    'DROP',
                    '',
                    $tag,
                    'add',
                    '-p tcp --dport ! 22' );
}

add_rule( $chainref, '-p tcp --dport 22   -m recent --rcheck --seconds 60 
--name SSH          -j ACCEPT' );
add_rule( $chainref, '-p tcp --dport 1599 -m recent                       
--name SSH --remove -j DROP' );
add_rule( $chainref, '-p tcp --dport 1600 -m recent                       
--name SSH --set    -j DROP' );
add_rule( $chainref, '-p tcp --dport 1601 -m recent                       
--name SSH --remove -j DROP' );

1;

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to