On Tue, 2008-11-25 at 21:07 +0100, Adem wrote: > "Adem" wrote: > > > > How would you code this rule in iptables: > > > > If anybody tries to do more than 1 connection to port 8191 > > within 20 seconds, regardless of the protocol, then DROP > > it and ignore any further connect attempts on that port > > from that source for 20 seconds. > > The following should work, but it somehow doesn't work in iptables v1.4.1.1: > ... > # if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new connect attempts then DROP them! > /sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20 -j DROP > > # accept client at port 8191 (all protocols) and register in WATCHLIST > # BUG: if "-p XXX" is left out or if instead "-p all" is used then the rule gets eliminated! > /sbin/iptables -A INPUT -p all --dport 8191 --match recent --name WATCHLIST --set -j DROP > ... > > It works only if "-p tcp" is specified. From the man page: These extensions can be used if ‘--protocol tcp’ is specified. These extensions can be used if ‘--protocol udp’ is specified. Hence, these extensions cannot be used with '--protocol all'. So, it looks like you will need to double the number of rules you have. > Isn't that a bug in iptables? Doesn't look like it. -- Matt Zagrabelny - mzagrabe@xxxxxxxxx - (218) 726 8844 University of Minnesota Duluth Information Technology Systems & Services PGP key 1024D/84E22DA2 2005-11-07 Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2 He is not a fool who gives up what he cannot keep to gain what he cannot lose. -Jim Elliot
Attachment:
signature.asc
Description: This is a digitally signed message part
