On Friday 2012-06-08 00:38, Jan Engelhardt wrote: >On Thursday 2012-06-07 23:40, José Pablo Pérez wrote: > >> I have CentOS and iptables with GeoIP module enabled, >> >> So far I have this rule working which works perfect: >> >> iptables -I INPUT -m geoip --src-cc GB -j DROP; >> >> But i need to make it more complex: >> >> Before dropping traffic I need to: >> >>1. allow up to a connection limit of 50 for the entire country. >>2. allow up to 30 requests/second to the entire country. >>3. drop the particular IPs with -m recent and a timeout of 3800 for those IPs from >> that country that violated that limit. >>4. And finally log whatever has been dropped with excessive logging protection. >>5. A plus.. if I can get to DROP the entire class C (/24) of the offending IP that >> violated the limits instead of just the /32 > >-A INPUT -m recent --recent-name offenders --rcheck --seconds 3800 > -j DROP # you don't want to log these, it would be just noise >-A INPUT -m geoip --src-cc GB -j gb >-A gb -m connlimit --connlimit-upto 50 -m limit --limit 30/s -j RETURN Since you wanted only 50 for the entire country, add --connlimit-mask 0. >-A gb -m recent --recent-name offenders --set -j LOG ... >-A gb -j DROP -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
