Hi Darrell. I'm not an expert on the subject of firewalls, but I'll share my
experience on how I had to keep these people (most notable the Russians and
a good portion of the Asia Pacific Network) out.
First, as someone informed me to do and which made a major difference. Take
the file: /etc/cron.hourly/log_traffic and move it somewhere or delete it
all together.
Now when you edit your /etc/sysconfig/iptables file, your editing will stay
there regardless or reboots, etc.
As for what to put in the firewall, here is a sample of the way that I have
mine layed-out and it has worked like a champ. My log files have gone from
many pages long to only a couple of pages.
----------------------------------------------------------------
# Generated by iptables-save v1.2.11 on Tue May 20 08:28:34 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:acctin - [0:0]
:acctout - [0:0]
-A INPUT -s 59.0.0.0/255.0.0.0 -i eth0 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -s 79.0.0.0/255.0.0.0 -i eth0 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -j acctin
-A OUTPUT -j acctout
-A acctin -d xx.xx.xx.xx/32
-A acctout -s xx.xx.xx.xx/32
-A acctin -d 127.0.0.1/32
-A acctout -s 127.0.0.1/32
COMMIT
# Completed on Tue May 20 08:28:34 2008
----------------------------------------------------------------
Doug
Sleepycathosting.com
-----Original Message-----
From: Darrell D. Mobley [mailto:dmobley (at mark) uhostme.com]
Sent: Thursday, May 22, 2008 11:52 AM
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:13045] Confused...
I have a given IP address from Australia that has been HTTP flooding my site
a couple of times, and I have added the IP address to my IPTables. I can
see it in the IPTables listing:
DROP all -- 60-240-249-207.tpgi.com.au anywhere
DROP all -- 60-240-249-206.tpgi.com.au anywhere
Yet, they are still able to flood my server. How can this be?