On Sun, Aug 21, 2011 at 03:07:51PM +0100, Always Learning wrote:
I could probably achieve this by having two temporary tables (for blocked IP addresses) and after a week or two delete the contents of one table and than at another interval delete the contents of the second table. This would provide a useful overlap and ensure an IP blocked today is not 'freed' tomorrow when a temporary table's contents are deleted.
What I do (for SMTP) is nightly check the rules for those that don't have any packets associated with them, delete those, then reset the count on the remainder. This means that entries stay in the firewall while they're still making attempts, but get removed a day after they've stopped.
Code extracts:
getlist() { /sbin/iptables --line-numbers -L INPUT -v$n $1 | awk '/dpt:25|dpt:smtp/ {printf("Rule=%d Count=%d source=%s\n", $1,$2,$9)}' }
lst=$(getlist | /usr/bin/tac | sed -n 's/^Rule=(.* Count=0)/\1/p')
if [ -n "$lst" ] then echo "$lst" | while read rule details do /sbin/iptables -D INPUT $rule echo Clearing Rule=$rule $details done else echo No Rules to clear fi
getlist -Z