http://www.dslreports.com/forum/firewall-rule-question-22683653 en Sat, 11 Feb 2012 16:37:40 EDT Sat, 11 Feb 2012 16:37:40 EDT http://www.dslreports.com/forum/Re-firewall-rule-question-22684275 said by shorthairedp:

So, from another thread:

iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

is the a term for all ports instead of tcp port 22 (or whatever the individual port is)

To do this in particular (this rule for everything not on dport 22), you can specify an inverse rule like this:

iptables -A INPUT -p tcp --dport ! 22 -i eth1 -m state --state NEW -m recent --set

note the !. Basically this says, match where dport does not equal 22]]> http://www.dslreports.com/forum/Re-firewall-rule-question-22684275 Fri, 10 Jul 2009 07:05:49 EDT http://www.dslreports.com/forum/Re-firewall-rule-question-22683927
It looks like you're trying to limit P2P? If so, use the connlimit module, it's very effective:

iptables -I FORWARD -i br0 -p tcp --syn --dport 1: -m connlimit --connlimit-above 200 -j REJECT
iptables -I FORWARD -i br0 -p tcp --syn --dport 1024: -m connlimit --connlimit-above 7 -j REJECT
iptables -I FORWARD -i br0 -p udp --dport 1: -m connlimit --connlimit-above 200 -j REJECT
iptables -I FORWARD -i br0 -p udp --dport 1024: -m connlimit --connlimit-above 7 -j REJECT

Assuming you had a bridged interface br0 where client traffic was coming in on, this would allow 200 connections total per user for TCP and another 200 for UDP (lines #1 and #3). It also places a limit of 7 TCP and UDP connections per user on ports 1024 and above (lines #2 and #4).

The example you posted would add the user to a queue after only 20 new packets of any type were spotted in 1 minute. So the user would likely get queued after a single web page since they've got a few connections to the server, dns packets, etc. Using hitcount is usually best for preventing abusive activity targeted at a single host, or a single port -- portscans, brute force attacks, etc.

I had difficulty in finding a good iptables tutorial-type resource, so I just learned by looking at a bunch of examples, I think it's the easiest way. I'm falling asleep but I'll look reread this in the morning to see if i wasn't making much sense.]]> http://www.dslreports.com/forum/Re-firewall-rule-question-22683927 Fri, 10 Jul 2009 01:55:03 EDT http://www.dslreports.com/forum/Re-firewall-rule-question-22683707 »www.opensource.com/docs/manuals/···ons.html

iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state ESTABLISHED -m recent --set

iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP

by rights, this will drop all new connections whenever there are more than 20 active in a minute? is this correct?

now, if I set queue instead of drop, and theyre running P2P how much will queue before the router flips out? should I add another rule setting the queue to a certain level then drops?

iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state ESTABLISHED -m recent --set

iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j QUEUE

iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state QUEUE -m recent --set

iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 50 -j DROP

For reference, Im looking at custom abuser rules, not overall system rules

Or am I just WAY off base here?]]> http://www.dslreports.com/forum/Re-firewall-rule-question-22683707 Fri, 10 Jul 2009 00:36:23 EDT http://www.dslreports.com/forum/firewall-rule-question-22683653
iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

is the a term for all ports instead of tcp port 22 (or whatever the individual port is)

I wish I knew the syntax for iptables, is there a good cheaters quick reference anyone is aware of?]]> http://www.dslreports.com/forum/firewall-rule-question-22683653 Fri, 10 Jul 2009 00:19:33 EDT