WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: iptables  (Read 2433 times)

Offline Looper

  • Newbie
  • *
  • Posts: 47
iptables
« on: May 04, 2017, 10:44:35 PM »
i use these rules , but i don't know how to accept this match after 1 minutes,... these rules if match ,Denying for ever i need Denying for 2 minutes  how can i do that?
Code: [Select]
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK SYN -m state --dport 6050 --state NEW -m recent --set 
iptable -A INPUT -i eth0 -p --tcp-flags SYN,ACK SYN -m state --dport 6050 --state NEW -m recent --update --seconds 20 --hitcount 3 -j Drop


    [EDIT]: Added code tags.  Rich
« Last Edit: May 05, 2017, 07:23:51 AM by Rich »

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11178
Re: iptables
« Reply #1 on: May 05, 2017, 07:31:04 AM »
Hi Looper
You really should use code tags when displaying commands, config files, etc. Code tags preserve formatting and serve as
a separator between your question and supplied data.

Offline rdebath

  • Newbie
  • *
  • Posts: 13
Re: iptables
« Reply #2 on: May 05, 2017, 01:10:24 PM »
Code: [Select]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j REJECT

These rules, that seem to be just like yours, do NOT deny forever. BUT the "--update" means that if you keep hitting the rule the next time to let you in will keep getting extended. It will block you as long as you keep prodding.

If you want to give them another chance even if they keep being bad you need an "--rcheck" rule before these two rules, I guess like this:

Code: [Select]
-I INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 -j REJECT

Note: REJECTS are usually better at making "script kiddies" go away and bother someone else.
--
Robert