
Originally Posted by
lly
Which older version exactly? Can you provide your rule, just for information?
P.S. ipt_recent was modified in r1393
it never worked as far as I can see
When I turned on the protection in the web-gui it doesn't open the port.
Then when I make a rule for accepting port 22, the port is unprotected.
Then I tried my old iptables, which portforwards and use tarpit and ipt_recent
Code:
#!/bin/sh
WANIF=vlan2
LANIP=`nvram get wan_ipaddr_t`
# deleting last firewal rules (policy)
iptables -D INPUT -j DROP
# Drop previous offenders - you dont want them in your net at all!
iptables -N BANDITDROP
iptables -A INPUT -m recent --rcheck --name BRUTE -j BANDITDROP
iptables -A FORWARD -m recent --rcheck --name BRUTE -j BANDITDROP
iptables -A BANDITDROP -m recent --update --seconds 3600 --rttl --name BRUTE -j LOG --log-prefix "Bandit DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A BANDITDROP -j REJECT --reject-with icmp-net-unreachable
# Detect port scan
iptables -N PORTSCANDROP
iptables -A INPUT -i ${WANIF} -m psd -j PORTSCANDROP
iptables -A PORTSCANDROP -m recent --set --name BRUTE
iptables -A PORTSCANDROP -m recent --update --seconds 3600 --rttl --name BRUTE -j LOG --log-prefix "Port_Scan DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A PORTSCANDROP -j REJECT --reject-with icmp-net-unreachable
# FTP server with brute force prevention
iptables -N FTPFORCEDROP
iptables -N FTPACCEPT
iptables -A INPUT -m tcp -p tcp --dport 21 -m state --state NEW -m limit --limit 3/min --limit-burst 2 -j FTPACCEPT
iptables -A INPUT -m tcp -p tcp --dport 21 -j FTPFORCEDROP
iptables -A FTPFORCEDROP -m recent --set --name BRUTE
iptables -A FTPFORCEDROP -m recent --update --seconds 3600 --rttl --name BRUTE -j LOG --log-prefix "FTP_Brute_Force DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A FTPFORCEDROP -p tcp -j TARPIT
iptables -A FTPFORCEDROP -j REJECT --reject-with icmp-proto-unreachable
iptables -A FTPACCEPT -j LOG --log-prefix "FTP ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A FTPACCEPT -j ACCEPT
iptables -t nat -A PREROUTING -i ${WANIF} -p tcp --dport 21 -j DNAT --to-destination ${LANIP}:21
# SSH server with brute force prevention
iptables -N SSHFORCEDROP
iptables -N SSHACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 2 -j SSHACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -j SSHFORCEDROP
iptables -A SSHFORCEDROP -m recent --set --name BRUTE
iptables -A SSHFORCEDROP -m recent --update --seconds 3600 --rttl --name BRUTE -j LOG --log-prefix "SSH_Brute_Force DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A SSHFORCEDROP -p tcp -j TARPIT
iptables -A SSHFORCEDROP -j REJECT --reject-with icmp-proto-unreachable
iptables -A SSHACCEPT -j LOG --log-prefix "SSH ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A SSHACCEPT -j ACCEPT
iptables -t nat -A PREROUTING -i ${WANIF} -p tcp --dport 22 -j DNAT --to-destination ${LANIP}:22
# Restablishing INPUT chain policy
iptables -A INPUT -j DROP
the ones that sort of work like I described before.
I'm not sure who gave them to me... I believe it was tamadite, and they worked well on the wl-500w
happy easter btw (for the people who celebrate it
)