Am 26.10.24 um 13:05 schrieb Kerin Millar:
On Sat, 26 Oct 2024, at 11:23 AM, Reindl Harald wrote:
Am 25.10.24 um 23:37 schrieb Kerin Millar:
On Fri, 25 Oct 2024, at 9:13 PM, Slavko wrote:
Dňa 25. októbra 2024 18:12:56 UTC používateľ Kerin Millar
<kfm@xxxxxxxxxxxxx> napísal:
To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format.
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:limitban - [0:0]
-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
Please will conntrack really works in raw table? I live in that raw table
happens before conntrack...
Probably not
for sure not
The poster did not say which table they are using
he did! >>> *raw
He (Francisco) certainly did not. It was I that wrote "*raw" and to whom Slavko was replying
anyways - "--ctstate" is nonsense in RAW and everybody should know that
the whole point of RAW ist to bypass conntrack
the whole conntrack stuff is misplaced in case of rate limiting - at
that point all packets which belog to existing connections are already
accepted by a conntrack rule at the begin
you fill your ipsets after conntrack did it's job and the DROP rule
don't need any ctstate - after the decision this IP has to be banned was
made it don't matter which state a packet has
hence THIS rule belongs to RAW to bypass conntrack
