On Thu, Mar 07, 2002 at 05:05:32AM -0500, Yan Seiner wrote: > > > See the recent module. > > > > > > Here's what I do: > > > > > > $IPTABLES -v -A INPUT -p tcp --source $OUTSIDE -m recent --hitcount 10 > > > --update --seconds 60 -j LOGDROP > > > > You may want to tweak the 'hitcount' as some pages do have more than 10 > > components to fetch... > > Would an http server create a new TCP connection to the client, though?
It's never the server that creates a connection to the client but in case of http it's the server which tears down the connection. > I always thought http was a "pull" thing - the client initated the > connection, which would not be matched by the above rule. Maybe I > misunderstood recent - I thought it only matched SYN tcp packets. It depends on the server setup. Eg. accessing cnn.com would give me these SYN packets: 18:06:16.336252 > my.ip.address.1078 > 207.25.71.29.www: S [ECN-Echo,CWR] 3595900408:3595900408(0) win 5840 18:06:19.328928 > my.ip.address.1078 > 207.25.71.29.www: S [ECN-Echo,CWR] 3595900408:3595900408(0) win 5840 18:06:19.580550 > my.ip.address.1080 > 207.25.71.29.www: S [ECN-Echo,CWR] 3591503920:3591503920(0) win 5840 18:06:22.578909 > my.ip.address.1080 > 207.25.71.29.www: S [ECN-Echo,CWR] 3591503920:3591503920(0) win 5840 18:06:23.474846 > my.ip.address.1087 > 207.25.71.29.www: S [ECN-Echo,CWR] 3588838254:3588838254(0) win 5840 18:06:28.578921 > my.ip.address.1080 > 207.25.71.29.www: S [ECN-Echo,CWR] 3591503920:3591503920(0) win 5840 18:06:37.946303 > my.ip.address.1096 > 207.25.71.29.www: S [ECN-Echo,CWR] 3605253360:3605253360(0) win 5840 18:06:40.578921 > my.ip.address.1080 > 207.25.71.29.www: S [ECN-Echo,CWR] 3591503920:3591503920(0) win 5840 18:06:40.938923 > my.ip.address.1096 > 207.25.71.29.www: S [ECN-Echo,CWR] 3605253360:3605253360(0) win 5840 18:06:41.146792 > my.ip.address.1099 > 207.25.71.29.www: S [ECN-Echo,CWR] 3606309355:3606309355(0) win 5840 18:06:44.138912 > my.ip.address.1099 > 207.25.71.29.www: S [ECN-Echo,CWR] 3606309355:3606309355(0) win 5840 18:06:50.138914 > my.ip.address.1099 > 207.25.71.29.www: S [ECN-Echo,CWR] 3606309355:3606309355(0) win 5840 18:06:53.421768 > my.ip.address.1101 > 207.25.71.29.www: S [ECN-Echo,CWR] 3621564489:3621564489(0) win 5840 18:07:04.578908 > my.ip.address.1080 > 207.25.71.29.www: S [ECN-Echo,CWR] 3591503920:3591503920(0) win 5840 18:07:05.323493 > my.ip.address.1104 > 207.25.71.29.www: S [ECN-Echo,CWR] 3638035154:3638035154(0) win 5840 18:07:08.318908 > my.ip.address.1104 > 207.25.71.29.www: S [ECN-Echo,CWR] 3638035154:3638035154(0) win 5840 18:07:23.435225 > my.ip.address.1114 > 207.25.71.29.www: S [ECN-Echo,CWR] 3663508115:3663508115(0) win 5840 18:07:33.044519 > my.ip.address.1118 > 207.25.71.29.www: S [ECN-Echo,CWR] 3666549766:3666549766(0) win 5840 18:07:52.578913 > my.ip.address.1080 > 207.25.71.29.www: S [ECN-Echo,CWR] 3591503920:3591503920(0) win 5840 Some of these are duplicates but you should also take duplicates into account. Ramin > > --Yan
