Re: [Shorewall-users] Error Parsing SSHKnock with Shorewall Per

Mon, 27 Aug 2007 15:24:57 -0700 

----- Original Message ----- 
From: "Tom Eastep" <[EMAIL PROTECTED]>
To: "Shorewall Users" <[email protected]>
Sent: Monday, August 27, 2007 3:14 PM
Subject: Re: [Shorewall-users] Error Parsing SSHKnock with Shorewall Per


Mike Lander wrote:
> <snip> from /var/lib/shorewall/.iptables-restore-input file
> line 131 is '--name SSH          -j ACCEPT' below
>
>
>
> -A Reject -p 6 -m multiport --dports 135,139,445 -j reject
> -A Reject -p 17 --dport 1900 -j DROP
> -A Reject -p 6 -j dropNotSyn
> -A Reject -p 17 --sport 53 -j DROP
> -A SSHKnock -p tcp --dport 22   -m recent --rcheck --seconds 60
> --name SSH          -j ACCEPT
> -A SSHKnock -p tcp --dport 1599 -m recent
> --name SSH --remove -j DROP
> -A SSHKnock -p tcp --dport 1600 -m recent
> --name SSH --set    -j DROP
> -A SSHKnock -p tcp --dport 1601 -m recent
>

You have extra newline characters in your source. Each '-A' command should
be on a single line. Attached is the correct /etc/shorewall/SSHKnock

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



--------------------------------------------------------------------------------


use Shorewall::Chains;

if ( $level ) {
    log_rule_limit( $level,
                    $chainref,
                    'SSHKnock',
                    'ACCEPT',
                    '',
                    $tag,
                    'add',
                    '-p tcp --dport 22   -m recent --rcheck --name SSH' );

    log_rule_limit( $level,
                    $chainref,
                    'SSHKnock',
                    'DROP',
                    '',
                    $tag,
                    'add',
                    '-p tcp --dport ! 22' );
}

add_rule( $chainref, '-p tcp --dport 22   -m recent --rcheck --seconds 
60 --name SSH          -j ACCEPT' );
add_rule( $chainref, '-p tcp --dport 1599 -m 
       --name SSH --remove -j DROP' );
add_rule( $chainref, '-p tcp --dport 1600 -m 
       --name SSH --set    -j DROP' );
add_rule( $chainref, '-p tcp --dport 1601 -m 
       --name SSH --remove -j DROP' );

1;



That did it Tom,
THank you,
Mike


--------------------------------------------------------------------------------





-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to