On Sat, 2011-10-22 at 18:21 +0200, Azerty Ytreza wrote: > > Hitcount matches when the number of packets is greater than or *equal*, > > so defining a number of "1" will always match. > > I have try to increase that but it's the same thing. > iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -m state --state > NEW -m recent --update --seconds 600 --hitcount 10 -j DROP > > > > > Also, hitcount refers to number of packets, so you'll need a rule in > > there to only apply the DROP to NEW connections, otherwise you'll block > > a successful connection as soon as that number of packets has been sent. > > Yes, I have modified this rules by removing "NEW" but the port is > always blocked :( > iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -m state --state > RELATED,ESTABLISHED -j ACCEPT Can you re-post all the rules please so that we can have a look at them? > > This website is quite good: > > > > http://thiemonagel.de/2006/02/preventing-brute-force-attacks-using-iptables-recent-matching/ > > > > Although you'll have to change INPUT to FORWARD. > > > > This website use blacklist and name but it's the same no in my rules ? "Probably", although I've not looked closely. If you really have written equivalent rules then it should work okay. If you can re-post all your rules then we can check. Andy P.S. You forgot to copy the list again! -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
