On Thursday 2012-06-07 23:40, José Pablo Pérez wrote: > I have CentOS and iptables with GeoIP module enabled, > > So far I have this rule working which works perfect: > > iptables -I INPUT -m geoip --src-cc GB -j DROP; > > But i need to make it more complex: > > Before dropping traffic I need to: > >1. allow up to a connection limit of 50 for the entire country. >2. allow up to 30 requests/second to the entire country. >3. drop the particular IPs with -m recent and a timeout of 3800 for those IPs from > that country that violated that limit. >4. And finally log whatever has been dropped with excessive logging protection. >5. A plus.. if I can get to DROP the entire class C (/24) of the offending IP that > violated the limits instead of just the /32 -A INPUT -m recent --recent-name offenders --rcheck --seconds 3800 -j DROP # you don't want to log these, it would be just noise -A INPUT -m geoip --src-cc GB -j gb -A gb -m connlimit --connlimit-upto 50 -m limit --limit 30/s -j RETURN -A gb -m recent --recent-name offenders --set -j LOG ... -A gb -j DROP To 2. you have to define what a request is, otherwise it'll bite you. To 5. not really available. And your requirements have a fundamental flaw: a single address can make the country to go over the limit, and everybody will end up in the blacklist. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
