On Wed, 29 Mar 2006 20:28:53 +0200 "Rob Sterenborg" <rob@xxxxxxxxxxxxxxx> wrote: > >> I am not an expert on this, > >> but for what it is worth: > >> > >> Perhaps the rules used to detect > >> and limit brute force ssh attacks > >> could be adapted to your need. > > > > You are talking about "recent" module... I don't know how I can use > > it in my situation.... > > > >> Does NetLook have a predictable pattern? > > > > Forget about NetLook... > > > > My criteria for blocking is: > > if rate of SYN packages from ONE source IP is greater then > > 3packets/sec => then block this IP > > > > And i can't add rule "-m limit" per all source IP in my net, > > because my net is big (~255^3).... > > Wouldn't that look something like : > > $ipt -A [INPUT|FORWARD] -i $IF_LAN -m state --state NEW -s $LAN_NET \ > -p tcp --syn -m limit --limit 3/sec -j ACCEPT If just ONE host from my $LAN_NET will exceed this limit, then ALL hosts in $LAN_NET will not able to start new session... and this is bad. I want to limit 3/sec per host, not for all net.... > This would match NEW packets on your LAN interface with SYN set, coming > from any of your LAN IP's and not allowing more than 3 of these per > second. Of course, you'd also need a rule like this to allow the > complete connection : > > $ipt -A [INPUT|FORWARD] -m state --state RELATED,ESTABLISHED -j ACCEPT > > Or am I missing something ? > > > Gr, > Rob > > -- Biomechanica Artificial Sabotage Humanoid
