Hi.
On Sat, 16 Jan 2016 12:46:30 -0500
Steve Matzura <numb...@noisynotes.com> wrote:
> On Sat, 16 Jan 2016 20:16:28 +0300, you wrote:
>
> >> What'd I do?
> >>
> >
> >Exactly this:
> >
> >iptables -F INPUT
> >iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
> > -m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
> > --hashlimit-mode srcip --hashlimit-name ssh \
> > --hashlimit-htable-expire 60000 -j ACCEPT
> >iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
> > -j DROP
> >
> >Note that the order of netfilter rules is top-down (i.e. highest
> >matching rule plays).
> >So, first rule on your current list, namely:
> >
> >-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
> >
> >blocked anyone from using ssh.
>
> I have to tell you, that one *did* look suspicious. Should I remove it
> from the list of iptables commands and re-apply the rest of them?
My bad - I mistook -I (append to head) with -A (append to tail) options.
Correct sequence would be:
iptables -F INPUT
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
-m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
--hashlimit-mode srcip --hashlimit-name ssh \
--hashlimit-htable-expire 60000 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
-j DROP
There's no need to remove anything else by hand as -F should remove
everything anyway.
