Am 25.10.24 um 23:37 schrieb Kerin Millar:
On Fri, 25 Oct 2024, at 9:13 PM, Slavko wrote:
Dňa 25. októbra 2024 18:12:56 UTC používateľ Kerin Millar
<kfm@xxxxxxxxxxxxx> napísal:
To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format.
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:limitban - [0:0]
-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
Please will conntrack really works in raw table? I live in that raw table
happens before conntrack...
Probably not
for sure not
The poster did not say which table they are using
he did! >>> *raw
what makes sense in the context of ipset is that the DROP rules are in
the RAW table because at this point the decision is already made and
there is no vaild reason to bother conntrack
so a first step you get your ratelimit with ipsets / timeouts done and
finally place the drop rule which hits when the IP is in the ipset into
the raw-table
the greatest benefit of ipsets: the are working cross tables
"--ctstate NEW" is completly irrelevant in the context auf ratelimits
because your ruleset shoud always start with ACCEPT est/related und DROP
invalid and so everything below can be only a new connection by definition
