On 2006.03.28 22:29, bash - 0x62ash@xxxxxxxxx wrote:
On Tue, 28 Mar 2006 20:50:51 -0500 "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxx> wrote: > On Wed, 2006-03-29 at 04:19 +0400, bash wrote: > > Hello All, > > > > I wanna dynamically block some ip's that load my router with --state NEW > > packets (usually it's generated by very aggressive NetLook win > > program). But there is a problem -m limit will block all my router's > > user, and I wanna block just one ip :/ > I'm not entirely sure of what you want to do. Why can you not match > source? If you want, match the one IP and send all traffic for that IP > to a user defined chain, e.g., : > iptables -A FORWARD -s 10.1.1.100 -j SpecialChain > iptables -A SpecialChain -j DOWHATEVERYOUWANT > > If it is that you want to exempt certain addresses, send all the packets > to a user defined chain and return the exemptions, e.g., > > iptables -A FORWARD -j LimitChain > iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j > RETURN > iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO The problem is that I don't know IP of this machine.... And anyone in my net can run NetLook program... So i want that - if some-one in my net exceed limit then iptables will block this ip dynamically....
I am not an expert on this, but for what it is worth: Perhaps the rules used to detect and limit brute force ssh attacks could be adapted to your need. Does NetLook have a predictable pattern? You can find out about the ssh blocking rules if you search the archives for 'brute force'. Hope that helps. -- Jim Laurino nfcan.x.jimlaur@xxxxxxxx Please reply to the list. Only mail from the listserver reaches this address.
