>> > Hitcount matches when the number of packets is greater than or *equal*, >> > so defining a number of "1" will always match. >> >> I have try to increase that but it's the same thing. >> iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -m state --state >> NEW -m recent --update --seconds 600 --hitcount 10 -j DROP >> >> > >> > Also, hitcount refers to number of packets, so you'll need a rule in >> > there to only apply the DROP to NEW connections, otherwise you'll block >> > a successful connection as soon as that number of packets has been sent. >> >> Yes, I have modified this rules by removing "NEW" but the port is >> always blocked :( >> iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -m state --state >> RELATED,ESTABLISHED -j ACCEPT > > Can you re-post all the rules please so that we can have a look at them? It's OK ! I have founded my error ... Thank you for your help ! My big mistake it's with the INPUT rule followed by a FORWARD :( I doesn't know that FORWARD open the port without INPUT. Else the error was here : iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -m state --state **NEW,**RELATED,ESTABLISHED -j ACCEPT Else you have an idea for my corrupted log ? It's probably linked to LXC but there is a way for check where come the problem ? >> > This website is quite good: >> > >> > http://thiemonagel.de/2006/02/preventing-brute-force-attacks-using-iptables-recent-matching/ >> > >> > Although you'll have to change INPUT to FORWARD. >> > >> >> This website use blacklist and name but it's the same no in my rules ? > > "Probably", although I've not looked closely. If you really have written > equivalent rules then it should work okay. If you can re-post all your > rules then we can check. > > Andy > > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
