On 2/23/2023 6:15 AM, Kerin Millar wrote:
On Thu, 23 Feb 2023 13:50:33 +0100
Fourhundred Thecat <400thecat@xxxxxx> wrote:
> On 2023-02-23 12:34, Kerin Millar wrote:
On Thu, 23 Feb 2023 12:04:44 +0100
Fourhundred Thecat <400thecat@xxxxxx> wrote:
The following option is detailed by iptables-extensions(8).
--exist
when adding an entry if it already exists, reset the timeout
value to the specified one or to the default from the set defi‐
nition
OK, thank you. But now I have this problem:
I want to:
1) reset timeout if IP alredy in PORTSCAN
2) drop the packet
I wrote these 2 rules:
1) -A INPUT -j SET --add-set PORTSCAN src --timeout 3600 --exist
2) -A INPUT -m set --match-set PORTSCAN src -j DROP
but the problem is, rule 1) matches everything, not just IPs already in
PORTSCAN. This basically adds everything to PORTSCAN
How can I combine these two rules into one, so that I only reset IPs
that are already in PORTSCAN ?
Given the constraints imposed by iptables, the problem needs to be reasoned with in a different fashion. I think that the following will satisfy your requirements.
-N reset_and_drop
-A reset_and_drop -j SET --add-set PORTSCAN src --timeout 3600 --exist
-A reset_and_drop -j DROP
-A INPUT -m set --match-set PORTSCAN src -j reset_and_drop
...
-A INPUT -p tcp -m tcp --dport 22222 -j ACCEPT
...
-A INPUT -m addrtype --src-type UNICAST -j reset_and_drop
Out of curiosity, why is that last line (explicitly setting addrtype [to
UNICAST]) needed? I had long understood that that was effectively the
default already?
--
gordonfish
