On Fri, 25 Oct 2024, at 9:13 PM, Slavko wrote: > Dňa 25. októbra 2024 18:12:56 UTC používateľ Kerin Millar > <kfm@xxxxxxxxxxxxx> napísal: > >>To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format. >> >>*raw >>:PREROUTING ACCEPT [0:0] >>:OUTPUT ACCEPT [0:0] >>:limitban - [0:0] >>-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban > > Please will conntrack really works in raw table? I live in that raw table > happens before conntrack... Probably not. The poster did not say which table they are using, nor explain why they were matching on the NEW state to begin with. It seems probable that "hit" was meant as an attempt to open a TCP connection and would hope that "PREROUTING" was a reference to the raw table. Based on that, let's say that it should instead be -p tcp --syn. -- Kerin Millar
