iptables 'recent' stuff
dsr at tao.merseine.nu
dsr at tao.merseine.nu
Wed Jul 27 11:42:22 EDT 2005
On Wed, Jul 27, 2005 at 10:53:34AM -0400, Derek Atkins wrote:
> dsr at tao.merseine.nu writes:
> So something like this in /etc/sysconfig/iptables would do what I
> wanted?
>
> -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set
Adds the packet info to the ssh recent list
> -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 60 --hitcount 4 -j LOG --log-level WARN --log-prefix SSH-TOO-FAST
This logs packets which have appeared 4 times in the last 60 secs
> -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 60 --hitcount 4 -j REJECT --reject-with icmp-host-prohibited
This should be --rcheck instead of --update, as the packet count
does not need to be updated.
> Question: is there some way to have a rule that if one 'recent'
> check passed then I can set another one? E.g., I'd like to be able
> to do something like:
>
> if packet matches XX, set badguy
> if packet matches YY, set badguy if YY-hitcount >= 4
> if packet matches ZZ, set badguy if ZZ-hitcount >= 6
> if badguy, drop
>
> I just don't know if you can have multiple "recent name" settings like
> this?
I think I understand what you want -- anyone who is on any of
the idiot lists, drop all packets from them -- but I don't think
you can do it this way.
-dsr-
More information about the Discuss
mailing list