On 2013-10-27 12:29:33 (-0700), Gordon Morehouse wrote: > > I've implemented these and I'd really love for anyone who's great at > iptables to sanity-check my rules[1] because I am an iptables relative > noob. > 5: # TODO: don't know if fail2ban will override this if a host with established > 6: # connections gets temp banned. We don't want it to. Need to find out. It depends on the spot fail2ban inserts the new firewall rules. If it's before the '--state ESTABLISHED' rule, then the ban will be enforced. Otherwise, the kernel will let the packets through when they reach that rule. > 12: iptables -A INPUT -p tcp -m multiport --dports 31923,31924 -m state --state NEW -j SYN_THROTTLE > [...] > 17: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j LOG > 18: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j REJECT You don't need '-m state --state NEW' in lines 17 and 18 because all packets in that chain are already known to be new. I recommend to use always --log-prefix for easy future grepping. -- David Serrano GnuPG id: 280A01F9
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays