Assuming these IP address are treated the same way in your iptables rule, ipset may help to make it simpler.
On Fri, Apr 24, 2020 at 3:30 PM Jeffrey Walton <noloa...@gmail.com> wrote: > Hi Everyone, > > We are having trouble with our MediaWiki installation on a low-end VM. > The VM is servicing a lot of spam traffic, and it is driving cpu usage > up to about 80%. The 404's appear to be more expensive then the 200's. > GoDaddy wrote to us and told us they were going to suspend our service > if we don't get cpu usage down. > > I experimented with several Apache and MediaWiki plugins and I have a > design I like. The plugin scans the URL, detects the problematic URLs, > and sends the ip address to a privileged out-of-proc proxy to update > iptables. The proxy is privileged and can update iptables rules. It > also maintains a database to remove the host after 45 days. > > The problem I am having is, adding the new information to the existing > iptables rules in /etc/sysconfig/iptables. I want to write my rules to > a separate file and then tell /etc/sysconfig/iptables to include it at > the correct position. > > I read the iptables(8), iptables-save(8) and iptables-restore(8) man > pages, but I don't see how to combine the different sources. > > How do I tell iptables to include a second external source at a > specific location? > > # iptables --version > iptables v1.4.21 > > Thanks in advance. > > ========================= > > Here is an example of /etc/sysconfig/iptables with the position I want > to insert the MediaWiki ban rules. > > # cat /etc/sysconfig/iptables > *nat > :PREROUTING ACCEPT [4276:232374] > :POSTROUTING ACCEPT [270:136514] > :OUTPUT ACCEPT [270:136514] > COMMIT > > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [269:205262] > > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > > ### I want to insert rules here ### > *include my-mediawiki-rules > > ### Back to normal rules ### > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT > ... > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies@kernelnewbies.org > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies