HellO!!,
I know this sounds strange but I need to block an entire country if it
hits a connection limit threshold. For the purpose of this test I set
that to 1 so it hits fast. Please note that iam already using conn
mask of 0.
Both examples just BAN my individual IP and not all of the country. How?
Regards,
JP
------------ This is the example with ipset -----------
# WE CREATE THE IPSET LISTS
ipset -N CR_set iphash
ipset -N WHOLE_set iphash
ipset -N Ban_list iptree --timeout 3800
# wE CREATE AN APPLY THE CHAIN
iptables -N reject_whole_country
iptables -A INPUT -j reject_whole_country
iptables -A reject_whole_country -m geoip --src-cc CR -j SET --add-set
WHOLE_set src
iptables -A reject_whole_country -m set --match-set WHOLE_set src -m
connlimit --connlimit-above 1 --connlimit-mask 0 -j SET --add-set
Ban_list src
#This rules apply for ban lists
iptables -A INPUT -m set --match-set Ban_list src -j REJECT
------------ This is the example with -m recent -----------
iptables -A INPUT -m recent --rcheck --seconds 3800 -j REJECT
iptables -N reject_whole_country
iptables -A INPUT -j reject_whole_country
iptables -A reject_whole_country -m geoip --src-cc CR -j SET --add-set
WHOLE_set src
iptables -A reject_whole_country -m set --match-set WHOLE_set src -m
connlimit --connlimit-above 1 --connlimit-mask 0 -m recent --set -j
REJECT
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
