Insert the rule early in the chain. To determine where, I use this command:
iptables -L INPUT -v -n --line-numbers
You should put the new rule before rule 1, I think, so it takes effect
before even the ESTABLISHED rule from the connection tracker.
Use this:
iptables -I INPUT 1 -s 59.64.128.0/19 -p TCP -j DROP
If you think you'll build up a list of attackers, you can use an ipset,
instead. I use firewalld for my own firewalls, which has integral support
for saving and restoring ipsets. You can use a firewalld "direct" rule to
insert an ipset-based ban before other rules in the INPUT chain.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
