Well, I'm running vsftpd, lighttpd, ssh on my asus wl500gP in AP Mode, behind a fritzbox modem/router/voip. Ports 21,22 and 80 are forwarded to asus wl500gP. Everything works fine and stable.
In order to get rid of my beloved script-kiddies and several hackers, I started iptables on my asus, because avoiding access from several ip's as well as brute force (with ipt_recent) should be easily possible. Everything works just perfect, even ipt_recent (thanks al37919!) - when I test it, it seems to work stable anytime.

And in case that I missed something (I'm not an iptables expert), I wrote a script, just adding an IP to a block list when something is wrong with an access, like 3 times a message like "non existing user".

Yesterday I recognized, that the complete subnet of a hacker is already blocked, furthermore my script realized that something is wrong and has blocked the ip again - but nothing happens!

As you can see in an excerpt of my logfile, access from this ip is still possible, even after double blocking! And to show you, that everything is ok with iptables config, I've added the output of 'iptables -n -L'

Does anybody know whats going on? What I am doing wrong?
When I test it with my mobile modem, it works!
How can an ip 220.x.x.x can come through, when its already blocked?

Any help is appreciated.

Newbiefan

what about your post-firewall script?

I do have to admit I had the same problem with FTP, but I fixed that by turning on the anti brute force mode in the firewall (webadmin)

what about your post-firewall script?

Hi wpte!
There is just one problem: in AP Mode there is no webif firewall.
And I start my firewall-script after any services - will change it later - it's still under testing.

Well, script kiddies are smart - hence I had to be better - and I've done it the tricky way. I really like the so called bad guys - they allow me to optimize my iptable-setup without paying even a cent - look, the best test situation which you can imagine free of charge!
And I can tell you so far - I catched them - I'm able to block them whenever and however I want. And every day/night I get another info free of charge. When I've finished this setup (shortly), I'll write a howto about it. This setup is useable in any firewalled router mode as well as in ap mode, because it is based on the INPUT chain only.
The only part what I do not know until now is the fact, that they can somehow "bypass" a reject list. Maybe they work with different flags, but in any case they do not have an invalid state. It is very interesting anyway
and very useful, at least a lot of informations.
The only point what makes me angry is sometimes my lowered bandwidth.
Thanks anyway wpte, soon I'll do something......
have a nice evening!
newbiefan

Sorry guys, it was my mistake - I missunderstood something.

Just fyi:
never user mac rules for sources ouside of your network!