The title is probably not very helpful (sorry). Here's a better explanation of what I hope to accomplish. I'm relatively new working with iptables but have a decent understanding of the concepts. I haven't, however, found a good example online that demonstrates what I'm asking.
In order to do some brute-force intrusion mitigation, I've got a chain that includes a rule covering multiple ports (this rule originally hijacked from this blog):
-A INPUT -p tcp -m multiport -dports 21,22,110,143 -m state --state new -j INTR_CHECK
-A INTR_CHECK -m recent --set --name INTRS --rsource
-A INTR_CHECK -m recent --update --seconds 600 --hitcount 15 --name INTRS --rsource -j INTRUSION
-A INTR_CHECK -m recent --update --seconds 60 --hitcount 5 --name INTRS --rsource -j INTRUSION
-A INTR_CHECK -j [[break out to new chains vs ACCEPT]?]
What I'd like to see is a set of chains for each port in {21,22,110,143}, because I have (lengthy) established chains for allowing specific hosts/networks to use FTP and SSH.
Is it passable if I put single lines in the INTR_CHECK chain for each dport and route them to an existing chain? For example, if I append this to the rules above:
-A INTR_CHECK (-m state --state NEW) -p tcp -m tcp -dport 22 -j SSHD_IN
-A INTR_CHECK (-m state --state NEW) -p tcp -m tcp -dport 21 -j FTP_IN
-A INTR_CHECK (-m state --state NEW) -p tcp -m tcp -dport 110 -j POP3_IN
-A INTR_CHECK (-m state --state NEW) -p tcp -m tcp -dport 143 -j IMAP_IN
I also wonder if I need indicate the state as NEW packets only, since RELATED and ESTABLISHED are blanket-accepted in the commonly-used rule
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Any guidance or lessons-learned would be greatly appreciated. Thanks.