Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: fail2ban configuration

  1. #11
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,605
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: fail2ban configuration

    "-m !limit --limit 30/minute -j DROP"

    I don't think you can write your rule that way -- I think it would be

    ! -m limit --limit 30/minute -j DROP

    However this is just the double negative of the former statment:

    -m limit --limit 30/minute -j ACCEPT

    Both do the same. When you write your iptable ruleset (you initally feed in your iptables rules through a script, you usually specifiy a default policy for the input/output/forward chain. There are two basic schools of thought -- allow everything and write rules to DROP packets, or allow nothing (default policy drop) and then write rules that would explicitly allow packets.

    Referring to the statements above -- your double negative statement would be more appropriate with a default ACCEPT policy whereby the 2nd rule would be more appropriate with a default DROP policy.

    I hope that might help you. Have you seen examples of script files set up to populate iptables?

  2. #12
    Join Date
    Mar 2008
    Beans
    33

    Re: fail2ban configuration

    Quote Originally Posted by kevdog View Post
    "-m !limit --limit 30/minute -j DROP"

    I don't think you can write your rule that way -- I think it would be

    ! -m limit --limit 30/minute -j DROP

    However this is just the double negative of the former statment:

    -m limit --limit 30/minute -j ACCEPT

    Both do the same. When you write your iptable ruleset (you initally feed in your iptables rules through a script, you usually specifiy a default policy for the input/output/forward chain. There are two basic schools of thought -- allow everything and write rules to DROP packets, or allow nothing (default policy drop) and then write rules that would explicitly allow packets.

    Referring to the statements above -- your double negative statement would be more appropriate with a default ACCEPT policy whereby the 2nd rule would be more appropriate with a default DROP policy.

    I hope that might help you. Have you seen examples of script files set up to populate iptables?
    kevdog, I have not seen many examples of script files yet. I'm still in my infancy of understanding iptables. However, I think we are saying the same thing. I'm trying to understand the rule-specification suggested by HermanAB (post #2), instead of just blindly copying it.

    I think what HermanAB failed to mention is that his rule-specification would require that the default policy for the INPUT chain is DROP. Otherwise (assuming that this is the only rule) after the limit is reached, and iptables cannot find a rule-specification to match the packet, the default policy would be to ALLOW anyway. Which means that with "-m limit --limit 30/minute -j ACCEPT" and default policy = ALLOW, we are doing absolutely nothing.

    The reason I bring this up is because the default policy in iptables is ALLOW, and HermanAB never mentioned that his rule-specification would work only if the user actively changes the default policy to DROP.

  3. #13
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,605
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: fail2ban configuration

    I see your point. I'm sorry he wasn't more complete. It seems you are starting to grasp the use of iptables. When using iptables, I always set my default policy as DROP. Sometime this detail is overlooked when you are discussing specific rules.

  4. #14
    Join Date
    Mar 2008
    Beans
    33

    Re: fail2ban configuration

    Quote Originally Posted by kevdog View Post
    I see your point. I'm sorry he wasn't more complete. It seems you are starting to grasp the use of iptables. When using iptables, I always set my default policy as DROP. Sometime this detail is overlooked when you are discussing specific rules.
    I think most users configure the firewall with the policy changed to DROP. I think that this is viewed as "turning on" the firewall. I understand that this is not the case, since iptables is never "off, " its just not doing anything by default.

    I want to stick with policy set to ACCEPT by default because I just want to protect against brute force on an open port, and let the router firewall take care of the rest. The trick is how to use the limit module when the policy on the chain is set to ACCEPT.

  5. #15
    Join Date
    Mar 2008
    Beans
    33

    Re: fail2ban configuration

    OK so the correct format to negate the limit is as follows:

    "-m limit ! --limit 5/s"

    The negate sign ("!") comes before --limit.

    This means that the rule will match after the limit is reached. This would be useful if the policy on that chain is set to ACCEPT, and you set the target for this rule to DROP. So, to say it another way, the rule would say "do not drop (i.e., do not match) until the limit is breached. After that limit, match the packet and drop it."

    My source for this information is the iptables tutorial.

    So to recap: The "-m limit ! --limit 5/s" means do not matchuntil the limit is reached, after which you can drop (-j DROP).

    The other rule "-m limit --limit 5/s" means match up to the limit, but not after.
    Last edited by Stvnx7; February 27th, 2012 at 07:34 PM.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •