RE: help me (nfcan: addressed to exclusive sender for this address)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>> I am not an expert on this,
>> but for what it is worth:
>> 
>> Perhaps the rules used to detect
>> and limit brute force ssh attacks
>> could be adapted to your need.
> 
> You are talking about "recent" module... I don't know how I can use
> it in my situation.... 
> 
>> Does NetLook have a predictable pattern?
> 
> Forget about NetLook...
> 
> My criteria for blocking is:
> if rate of SYN packages from ONE source IP is greater then
> 3packets/sec => then block this IP
> 
> And i can't add rule "-m limit" per all source IP in my net,
> because my net is big (~255^3)....

Wouldn't that look something like :

$ipt -A [INPUT|FORWARD] -i $IF_LAN -m state --state NEW -s $LAN_NET \
  -p tcp --syn -m limit --limit 3/sec -j ACCEPT

This would match NEW packets on your LAN interface with SYN set, coming
from any of your LAN IP's and not allowing more than 3 of these per
second. Of course, you'd also need a rule like this to allow the
complete connection :

$ipt -A [INPUT|FORWARD] -m state --state RELATED,ESTABLISHED -j ACCEPT

Or am I missing something ?


Gr,
Rob



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux