So this is what I use in pf:
Code:
table <oloadtbl> persist
pass in log on $if proto tcp from any to $ip1 port ssh keep state \
(max 30 max-src-conn 29 max-src-conn-rate 30/60 source-track overload <oload> flush global)
And cron does:
Code:
* * * * root /sbin/pfctl -t oloadtbl -T expire 600 > /dev/null 2>&1
so the question is how do I accomplish the same with iptables? I can't seem to figure that out.
I found some solution in teh interwebz, but to be honest, I don't quite understand them and I'm not going to copy/paste stuff I don't understand from sites I've never heard of.
For example from
http://www.cyberciti.biz/tips/howto-...n-attacks.html
Code:
iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state
What does
-s 0/0 do? Does this match any address? No address at all?
Why is the source port defined? Is that necessary?
Why do explicitly give the states? and why NEW and ESTABLISHED and not just one?
Is this *really* the easiest and most straightforward way to accomplish this?
... Maybe someone with more experience can explain this to me ...