On Wed, 2006-03-29 at 04:19 +0400, bash wrote: > Hello All, > > I wanna dynamically block some ip's that load my router with --state NEW > packets (usually it's generated by very aggressive NetLook win > program). But there is a problem -m limit will block all my router's > user, and I wanna block just one ip :/ I'm not entirely sure of what you want to do. Why can you not match source? If you want, match the one IP and send all traffic for that IP to a user defined chain, e.g., : iptables -A FORWARD -s 10.1.1.100 -j SpecialChain iptables -A SpecialChain -j DOWHATEVERYOUWANT If it is that you want to exempt certain addresses, send all the packets to a user defined chain and return the exemptions, e.g., iptables -A FORWARD -j LimitChain iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j RETURN iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net
