iptables: block source-ip after connecto port

[Reindl Harald]

Am 04.01.2012 09:29, schrieb Patrick Lists:
> On 04-01-12 06:54, Reindl Harald wrote:
>> hi
>>
>> i would like to drop all icoming packets of any ip tried
>> to connect to telnet (port 23) which is meant as trap
>> for port-scans, there are some samples out there but i got
>> none of them working until now :-(
>>
>> iptables -N port-scan
>> iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m limit --limit 3/m --limit-burst 5 -j LOG
>> --log-prefix "portscan trap: "
>> iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m recent --update --seconds 60 -j RETURN
>> iptables -A port-scan -j DROP
> 
> Don't have much experience with iptables but shouldn't the rule apply to the INPUT filter? So, taking your rules,
> something like this:
> 
> iptables -N port-scan
> iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m limit --limit 3/m --limit-burst 5 -j LOG
> --log-prefix "portscan trap: "
> iptables -A INPUT -j port-scan

this does not work (this is only the logline)

i do not want to block (only) port 23, syn-packet on port 23 should be
the trigger to block the remote-address on ALL incoming ports for 60
seconds and have no idea how to define this
____________________

it does even not drop port 23 and if it would it can this
way not define drop packets to all other ports
the first line is only logging..............

iptables -N port-scan
iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m limit --limit 3/m --limit-burst 5 -j LOG
--log-prefix "portscan trap: "
iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m recent --update --seconds 60 -j DROP
iptables -A INPUT -j port-scan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120104/0fa01497/attachment.sig>