0

I have a web server that uses a additional restful server in a different port. I would like to allow traffic to the restful server only after a connection to the main server has been established. To accomplish that I use the following rules

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3001 -m recent --set --name P1 --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 8000 -m recent --rcheck --seconds 1000 --name P1 --mask 255.255.255.255 --rsource -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --dport 8001 -m recent --rcheck --seconds 1000 --name P1 --mask 255.255.255.255 --rsource -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8001 -m state --state NEW -j DROP

A connection is allowed to port 8000 / 8001 only if a connection on 3001 has already been established. The thing is that the scheme breaks down after three connections to port 8000.

Does the --rcheck somehow deletes the IP from the P1 list?

Am I doing something incorrectly?

Dave M
13.3k25 gold badges40 silver badges49 bronze badges
asked Dec 1 at 13:54
2
  • 1
    I’m voting to close this question because it was cross-posted by OP on Server Fault: serverfault.com/questions/1196144/iptablesrecent-module Commented 2 days ago
  • @music2myear you are obviously right, I was going to delete the question from Server Fault -as i feel that it is more relevant here - but I forgot to do so. I have deleted it now. Commented yesterday

0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.