On Thursday 2012-06-07 23:40, José Pablo Pérez wrote:
> I have CentOS and iptables with GeoIP module enabled,
>
> So far I have this rule working which works perfect:
>
> iptables -I INPUT -m geoip --src-cc GB -j DROP;
>
> But i need to make it more complex:
>
> Before dropping traffic I need to:
>
>1. allow up to a connection limit of 50 for the entire country.
>2. allow up to 30 requests/second to the entire country.
>3. drop the particular IPs with -m recent and a timeout of 3800 for those IPs from
> that country that violated that limit.
>4. And finally log whatever has been dropped with excessive logging protection.
>5. A plus.. if I can get to DROP the entire class C (/24) of the offending IP that
> violated the limits instead of just the /32
-A INPUT -m recent --recent-name offenders --rcheck --seconds 3800
-j DROP # you don't want to log these, it would be just noise
-A INPUT -m geoip --src-cc GB -j gb
-A gb -m connlimit --connlimit-upto 50 -m limit --limit 30/s -j RETURN
-A gb -m recent --recent-name offenders --set -j LOG ...
-A gb -j DROP
To 2. you have to define what a request is, otherwise it'll bite you.
To 5. not really available.
And your requirements have a fundamental flaw: a single address can make the
country to go over the limit, and everybody will end up in the blacklist.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Kernel Development]
[Linux Resources]
[Advanced Routing & Traffice Control]
[Bugtraq]
[Free Internet Dating]
[Yosemite Forum]
[Photos]
