On Thu, Jun 23, 2016 at 06:39:46PM +0800, Irwin L. wrote:
> I currently use:
> tcp dport {22222,40022,42222} ct state new counter flow table bruteforce {
> ip saddr limit rate 3/minute } counter accept comment "limit bruteforce"
>
> Is this ok?
Looks good to me. I would probably check for ct state new in first
place, given that this only matches the first packet a new TCP
connections. It will save you the tcp dport set lookup.
Note that you can even limit this per port, ie.
ct state new tcp dport {22222,40022,42222} counter \
flow table bruteforce { ip saddr . tcp dport limit rate 3/minute } \
counter accept comment "limit bruteforce"
using the 'ip saddr . tcp dport' concatenation. But I guess you want
globally ban anyone spamming you to those ports anyway.
> I wanted to ban spamming ips altogether, but I've since learned that this is
> the job of 'fail2ban'
fail2ban is nice to have to simplify this administrative hassle, but I
think it is still using iptables (it's been a while a I didn't look at
that code), we can do much better now with nft to resolve this problem.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
