From 90ea2a4a5a95f625cef1975703598b2233b1a092 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 20 Nov 2005 21:25:41 +0000 Subject: [PATCH] Add connection-limiting per-IP example -- take 2 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3041 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/PortKnocking.xml | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/Shorewall-docs2/PortKnocking.xml b/Shorewall-docs2/PortKnocking.xml index 4c5a30146..c7266b40f 100644 --- a/Shorewall-docs2/PortKnocking.xml +++ b/Shorewall-docs2/PortKnocking.xml @@ -132,7 +132,7 @@ SSHKnock net loc:192.168.1.5 tcp 22 - Limiting Per-IP Connection Rate Suppose that you wish to limit the number of connections to port 22 - to 3/minute from internet host. + to 3/minute from individual internet hosts to the firewall. @@ -156,13 +156,32 @@ run_iptables -A $CHAIN -m recent --name SSHA --seconds 60 --hitcount 3 -j reject Add this rule to /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) -SSHLimit net all tcp 22 +SSHLimit net $FW tcp 22 If you wish to log the rejects at the 'info' level then use this rule instead: #ACTION SOURCE DEST PROTO DEST PORT(S) -SSHLimit:info net all tcp 22 +SSHLimit:info net $FW tcp 22 + + + + If you wish to use SSHLimit with a forwarded connection, you + must be using Shorewall 2.3.1 or later for fullest protection. Assume + that you forward port 22 from external IP address 206.124.146.178 to + internal system 192.168.1.5. In /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +# PORT(S) DEST +DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178 +SSHLimit net loc:192.168.1.5 tcp 22 - 206.124.146.178 + + + You can use SSHLimit with DNAT on earlier releases provided + that you omit the ORIGINAL DEST entry on the second SSHLimit rule. + This rule will be quite secure provided that you specify 'norfc1918' + on your external interface. +