On 2013-10-27 12:29:33 (-0700), Gordon Morehouse wrote:
>
> I've implemented these and I'd really love for anyone who's great at
> iptables to sanity-check my rules[1] because I am an iptables relative
> noob.
> 5: # TODO: don't know if fail2ban will override this if a host with established
> 6: # connections gets temp banned. We don't want it to. Need to find out.
It depends on the spot fail2ban inserts the new firewall rules. If it's before
the '--state ESTABLISHED' rule, then the ban will be enforced. Otherwise, the
kernel will let the packets through when they reach that rule.
> 12: iptables -A INPUT -p tcp -m multiport --dports 31923,31924 -m state --state NEW -j SYN_THROTTLE
> [...]
> 17: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j LOG
> 18: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j REJECT
You don't need '-m state --state NEW' in lines 17 and 18 because all packets in
that chain are already known to be new.
I recommend to use always --log-prefix for easy future grepping.
--
David Serrano
GnuPG id: 280A01F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20131027/a0d23359/attachment.sig>