> Could you kindly enlighten me in that direction with possibly little > examples. > # Generated by iptables-save v1.4.5 on Mon Mar 29 12:04:05 2010 *filter :INPUT ACCEPT [1:68] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:68] -A INPUT -p tcp -m hashlimit --hashlimit-above 3/min --hashlimit-burst 1 --hashlimit-name hashlimit -m state --state NEW -m tcp --dport 22 -j MARK --set-xmark 0x1/0xffffffff -A INPUT -m recent --rcheck --seconds 600 --name DEFAULT --rsource -j DROP -A INPUT -m mark --mark 0x1 -m recent --set --name DEFAULT --rsource -j DROP COMMIT # Completed on Mon Mar 29 12:04:05 2010 Should do what you're looking for... Rule 1: Check the hashlimit and if more than 3/min then mark the packets. Rule 2: Check the recent table to see if the address is in it and has been seen in the last 10 mins and drop if it has Rule 3: If the packet has been marked by rule 1 (actually could be combined with rule one just gets to a long line and a mess to explain) add the source address (the --set option of recent) and drop. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
