История изменений
Исправление andrew667, (текущая версия) :
Chain INPUT (policy DROP 8601 packets, 486K bytes)
num pkts bytes target prot opt in out source destination
1 5838 1312K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 11M 1017M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 5 264 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 recent: SET name: ssh side: source
4 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 recent: CHECK seconds: 60 hit_count: 3 name: ssh side: source
5 9611 464K tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
6 2630K 168M udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|00ff0001|" ALGO name bm FROM 1 TO 65535 recent: SET name: dnsany side: source
7 63698 4051K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|00ff0001|" ALGO name bm FROM 1 TO 65535 recent: CHECK seconds: 60 hit_count: 3 name: dnsany side: source
8 15M 961M udp_packets udp -- * * 0.0.0.0/0 0.0.0.0/0
9 2361 149K icmp_packets icmp -- * * 0.0.0.0/0 0.0.0.0/0
10 190 10391 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
2 23M 33G ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
3 5838 1312K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Chain allowed (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 2197 122K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
2 26 12179 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain tcp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 12 828 ACCEPT tcp -- * * 1.2.3.192/26 0.0.0.0/0
2 1891 105K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
Chain udp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 160K 12M ACCEPT udp -- * * 1.2.3.192/26 0.0.0.0/0
2 14M 949M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
Кроме того создается файл dnsany в /proc/net/xt_recent, там много айпишников, но тех, с которых я делаю контрольный тест не попадают в этот список. Время уже до минуты уменьшил. Бан по ssh отрабатывает. Если что 1.2.3.192/26 - эта сетка изменена дабы не светиться.
Исправление andrew667, :
Chain INPUT (policy DROP 8601 packets, 486K bytes)
num pkts bytes target prot opt in out source destination
1 5838 1312K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 11M 1017M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 5 264 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 recent: SET name: ssh side: source
4 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 recent: CHECK seconds: 60 hit_count: 3 name: ssh side: source
5 9611 464K tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
6 2630K 168M udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|00ff0001|" ALGO name bm FROM 1 TO 65535 recent: SET name: dnsany side: source
7 63698 4051K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|00ff0001|" ALGO name bm FROM 1 TO 65535 recent: CHECK seconds: 60 hit_count: 3 name: dnsany side: source
8 15M 961M udp_packets udp -- * * 0.0.0.0/0 0.0.0.0/0
9 2361 149K icmp_packets icmp -- * * 0.0.0.0/0 0.0.0.0/0
10 190 10391 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
2 23M 33G ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
3 5838 1312K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Chain allowed (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 2197 122K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
2 26 12179 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain tcp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 12 828 ACCEPT tcp -- * * 1.2.3.192/26 0.0.0.0/0
2 1891 105K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
Chain udp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 160K 12M ACCEPT udp -- * * 1.2.3.192/26 0.0.0.0/0
2 14M 949M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
Кроме того создается файл dnsany в /proc/net/xt_recent, там много айпишников, но тех, с которых я делаю контрольный тест не попадают в этот список. Время уже до минуты уменьшил. Бан по ssh отрабатывает.
Исходная версия andrew667, :
Chain INPUT (policy DROP 8601 packets, 486K bytes)
num pkts bytes target prot opt in out source destination
1 5838 1312K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 11M 1017M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 5 264 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 recent: SET name: ssh side: source
4 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 recent: CHECK seconds: 60 hit_count: 3 name: ssh side: source
5 9611 464K tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
6 2630K 168M udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|00ff0001|" ALGO name bm FROM 1 TO 65535 recent: SET name: dnsany side: source
7 63698 4051K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|00ff0001|" ALGO name bm FROM 1 TO 65535 recent: CHECK seconds: 60 hit_count: 3 name: dnsany side: source
8 15M 961M udp_packets udp -- * * 0.0.0.0/0 0.0.0.0/0
9 2361 149K icmp_packets icmp -- * * 0.0.0.0/0 0.0.0.0/0
10 190 10391 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
2 23M 33G ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
3 5838 1312K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Chain allowed (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 2197 122K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
2 26 12179 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain tcp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 12 828 ACCEPT tcp -- * * 1.2.3.192/26 0.0.0.0/0
2 1891 105K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
Chain udp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 160K 12M ACCEPT udp -- * * 1.2.3.192/26 0.0.0.0/0
2 14M 949M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53