On 11/28/07 10:14, Shaun Mccullagh wrote:
iptables -A FORWARD -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set --name browserconn -j ACCEPT iptables -A FORWARD -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --rttl --update --seconds 60 --hitcount 100 --name blocked -j DROP
...
Nothing appears in /proc/net/ipt_recent/blocked
...
What am I doing wrong?
I think the problem you are seeing has to do with the difference of "--set" verses "--update" in the recent match. Namely I'm not sure that "--update" or "--rcheck" will actually add address to a recent list if they are not already in there.
Is the nc test valid?
I'm guessing so seeing as how you are seeing packets added to the browserconn recent list.
Grant. . . . - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
