Hello, >Thanks a lot, what about this ruleset ? >iptables -A INPUT -p tcp --syn -m hashlimit \ > --hashlimit 1/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000 >\ --hashlimit-mode srcip --hashlimit-name testlimit -j ACCEPT >iptables -A INPUT -j DROP >The concept here the blocked ip doing the syn-flood will be blacklisted >for 5 min and will be checked again after that interval. I think it won't work as a blacklist just drop syns that are above 1/sec. Option htable-expire is not for blacklisting but for setting timeframe in which hashlimit is operating (eg. it won't work well if you set htable-expire to 300s and have hashlimit set to 20/hour). To obtain desired effect you can use recent module (great work by Stephen Frost by the way): iptables -A INPUT -m recent --name blacklist --rcheck --seconds 300 \ -j DROP iptables -A INPUT -p tcp --syn -m hashlimit \ --hashlimit 1/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000\ --hashlimit-mode srcip --hashlimit-name testlimit -j ACCEPT iptables -A INPUT -m recent --name blacklist --set -j DROP You can find more information about recent here: - http://snowman.net/projects/ipt_recent/ - and in manpage; Best regards, Marek -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
