Hi, We have some rate limits on port 80 only, they work as intended (almost) and we are happy with the outcome (almost) So now, the " almost"'s We obviously do not want to limit our lan, but our lan is affected.. I'm sure its an out of order rule, but here goes :-> /usr/sbin/iptables -F /usr/sbin/ip6tables -F /usr/sbin/iptables -X /usr/sbin/ip6tables -X /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD DROP /usr/sbin/ip6tables -P INPUT ACCEPT /usr/sbin/ip6tables -P OUTPUT ACCEPT /usr/sbin/ip6tables -P FORWARD DROP /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/ip6tables -A INPUT -i lo -j ACCEPT /usr/sbin/ip6tables -A INPUT -s fe80::/10 -j ACCEPT /usr/sbin/ip6tables -A INPUT -d ff00::/8 -j ACCEPT /usr/sbin/iptables -A INPUT -s 199.x.x.x/22 -j ACCEPT /usr/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT /usr/sbin/ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT ..some other rules for other ports... /usr/sbin/iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set /usr/sbin/iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 5 --hitcount 2 -j DROP /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /usr/sbin/iptables -A INPUT -p tcp --dport 1:1023 -j DROP We obviously dont want our 199.x.x.x/22 limited but it is, I thought being before this rule, it would be immune, also, if we use localhost, it too is limited, I guess its because we use -I which inserts at top of rules, but if we used -A in the two recent rule lines we found it didnt always work at all? any suggestions? Thanks Nik -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
