Re: help me

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2006-03-29 at 04:19 +0400, bash wrote:
>  Hello All,
> 
> I wanna dynamically block some ip's that load my router with --state NEW
> packets (usually it's generated by very aggressive NetLook win
> program). But there is a problem -m limit will block all my router's
> user, and I wanna block just one ip :/
I'm not entirely sure of what you want to do.  Why can you not match
source? If you want, match the one IP and send all traffic for that IP
to a user defined chain, e.g., :
iptables -A FORWARD -s 10.1.1.100 -j SpecialChain
iptables -A SpecialChain -j DOWHATEVERYOUWANT

If it is that you want to exempt certain addresses, send all the packets
to a user defined chain and return the exemptions, e.g., 

iptables -A FORWARD -j LimitChain
iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j
RETURN
iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux