Reco:
All of this is an excellent learning opportunity for me. Please bear
with me just a bit as I ask the following:
On Sat, 16 Jan 2016 01:55:38 +0300, you wrote:
>A simple solution:
>
>iptables -I INPUT -p dcp -s 59.46.71.0/24 -j DROP
`-p dcp'? manpages says:
[!] -p, --protocol protocol
The protocol of the rule or of the packet to check. The
specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp,
ah, sctp, mh or the special keyword "all", or it can
be a numeric value, representing one of these protocols or a
different one. A protocol name from /etc/protocols is also allowed.
...
>A complex one:
>
>iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
> -m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
> --hashlimit-mode srcip --hashlimit-name ssh \
> --hashlimit-htable-expire 60000 -j ACCEPT
-m, --match match
Specifies a match to use, that is, an extension
module that tests for a specific property. The set of matches make up
the condition under which a target is invoked. Matches are evaluated
first to last as specified on the command line and work in
short-circuit fashion, i.e. if one extension yields false, evaluation
will stop.
If I understand the above, in this command you are doing something
with two rule `conntrack' and `hashlimit'. But what? Adding them?
Setting rule behavior?
>iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
> -j DROP
-j, --jump target
This specifies the target of the rule; i.e., what to do
if the packet matches it. The target can be a user-defined
chain (other than the one this rule is in), one of the special builtin
targets which decide the fate of the packet
immediately, or an extension (see EXTENSIONS below). If this option
is omitted in a rule (and -g is not used), then matching the rule
will have no effect on the packet's fate, but the counters on the rule
will be incremented.
So if the inbound packet has some property which matches any of those
specified in the `--tcp-flags' list, drop it?
Questions:
How do these commands function to lock out specific addresses or
address ranges?
In the `--tcp-flags' list, why is `SYN' mentioned twice?
