-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
David Serrano:
On 2013-10-27 12:29:33 (-0700), Gordon Morehouse wrote:
I've implemented these and I'd really love for anyone who's great at iptables to sanity-check my rules[1] because I am an iptables relative noob.
5: # TODO: don't know if fail2ban will override this if a host with established 6: # connections gets temp banned. We don't want it to. Need to find out.
It depends on the spot fail2ban inserts the new firewall rules. If it's before the '--state ESTABLISHED' rule, then the ban will be enforced. Otherwise, the kernel will let the packets through when they reach that rule.
Here's my 'iptables -L' output, on pastebin because it's a mess when formatted for email: http://pastebin.com/f1VZNeTF
That's not a fresh boot, though, I did:
'iptables -F' 'service fail2ban reload'
and then ran the iptables commands by hand, in order.
12: iptables -A INPUT -p tcp -m multiport --dports 31923,31924 -m state --state NEW -j SYN_THROTTLE [...] 17: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j LOG 18: /sbin/iptables -A SYN_THROTTLE -m state --state NEW -j REJECT
You don't need '-m state --state NEW' in lines 17 and 18 because all packets in that chain are already known to be new.
Ah, right - thanks! That might save a few cycles, assuming iptables wouldn't optimize it out. Important for the Raspberry Pi!
I recommend to use always --log-prefix for easy future grepping.
Another good idea, thanks again. I've committed these changes to the repo.
Best, - -Gordon M.