My SSH Highport solution has been working well (see last post), so now I
need to setup some firewall rules for rate-limiting so that I can expose
the port to the internet and not permit huge dictionary attacks against
the port. So I setup some iptables rules and ... it doesn't work. I
found a bunch of examples of doing this and I followed them very closely
but no luck. So I'm wondering if there is something about using the
directors that is causing problems with these rules.
On the directors here's what I have:
# iptables -L -n --line-numbers
Chain RH-Firewall-1-INPUT (1 references)
16 tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322 recent: SET name:
DEFAULT side: source
17 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322 recent:
UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322
19 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
If I take out the two 'recent' rules then I can login via SSH on port
33322. But with the rules in I get a timeout and 'connection closed'
when I try to login via ssh on port 33322.
Here's the rules:
iptables -I RH-Firewall-1-INPUT 16 -i eth0 -m state --state NEW -p tcp
--dport 33322 -m recent --set
iptables -I RH-Firewall-1-INPUT 17 -i eth0 -m state --state NEW -p tcp
--dport 33322 -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -I RH-Firewall-1-INPUT 18 -i eth0 -m state --state NEW -p tcp
--dport 33322 -j ACCEPT
Ok, what I've found is that if I set the 'hit_count' high to say 100
then I can login but the connection dies very quickly (actually it just
hangs). So I think the limit rule is applying to more than just NEW
packets. The higher that I set 'hit_count' the longer the connection
will last. So is there something wrong with the way I've implemented
this or is this a bug in iptables or the kernel?