Stephen: Thanks. That indeed looks like what I need, but I am stuck trying to make it work.
Stephen Frost wrote: > > * Yan Seiner ([EMAIL PROTECTED]) wrote: > > > > It does not come from the same IP every time, so I can't block on IP. > > I'd like to block it with something like the PSD module. What I really > > want to tell my firewall is this: if you see so many connections to this > > port from the same IP, blackhole the IP for 30 minutes. > > > > Any ideas on how to do that? > > The recent module can do this for you. More or less: > iptables -A FORWARD -d a.b.c.d --dport 25 -m recent --hits 10 --seconds 1800 -j DROP This is what I'm using: $IPTABLES -v -A INPUT -p tcp --source $OUTSIDE -m recent --hitcount 10 --update --seconds 60 -j LOGDROP But here's what I get: LOGDROP tcp opt -- in * out * !192.168.0.0/16 -> 0.0.0.0/0 recent: UPDATE seconds: 60hit_count: 10 iptables: No chain/target/match by that name LOGDROP is my log & drop chain - here's a rule from just prior to the -m recent one: # limit connections from outside to 4 per C block $IPTABLES -A INPUT -p tcp --source $OUTSIDE --syn -m iplimit --iplimit-mask 24 --iplimit-above 4 -j LOGDROP and that works fine. Is it possible that the recent module only works for FORWARD chain? I hope not; I run some services on my firewall box that I want to protect.... Oh yeah, I'm running kernel 2.4.17 and 1.2.5 iptables. --Yan -- Famous first words: My, my, my, my, my! Jason, age 16 mos, to his older sister 4:21pm up 5 days, 9:48, 14 users
