On Fri, 21 Jan 2005 09:35:26 -0500, Kevin Old <kevinold@xxxxxxxxx> wrote: > Hello everyone, > > My Logwatch report this moring is below. It appears that IP > 218.145.54.195 has attempted to connect to my SSH daemon 500 times. > I'm confused at how that can be as I added that IP several days ago to > the iptables > > /sbin/iptables -I OC -s 218.145.54.195 -j DROP > > and a /iptables -L OC shows that he's in there. > You have a chain called "OC" already? Do you have anything in your input chain that calls the "OC" chain? You would want to run an "iptables -L" to see if it's there. On mine, I have a chain called FW-Filter, and when I run iptables -L, I see: Chain INPUT (policy ACCEPT) target prot opt source destination FW-Filter all -- anywhere anywhere This means that all my incoming packets are not evaluated by the INPUT chain, but are referred to the FW-Filter chain. If you don't have something like that in your system, you can create all the chains you want, but they will never be checked. It also might be because of the order of other rules in that chain. The first rule that makes a match wil be acted on, so you might have a rule that says to accept that packet BEFORE the rule that says to drop it. Without seeing the full OC chain and output from iptables -L it's hard to tell.
