[CentOS] Apache Changing IPtables C 5.6 via Apache
Stephen Harris
lists at spuddy.org
Sun Aug 21 14:25:43 UTC 2011
On Sun, Aug 21, 2011 at 03:07:51PM +0100, Always Learning wrote:
> I could probably achieve this by having two temporary tables (for
> blocked IP addresses) and after a week or two delete the contents of one
> table and than at another interval delete the contents of the second
> table. This would provide a useful overlap and ensure an IP blocked
> today is not 'freed' tomorrow when a temporary table's contents are
> deleted.
What I do (for SMTP) is nightly check the rules for those that don't
have any packets associated with them, delete those, then reset the
count on the remainder. This means that entries stay in the firewall
while they're still making attempts, but get removed a day after they've
stopped.
Code extracts:
getlist()
{
/sbin/iptables --line-numbers -L INPUT -v$n $1 | awk '/dpt:25|dpt:smtp/ {printf("Rule=%d Count=%d source=%s\n", $1,$2,$9)}'
}
lst=$(getlist | /usr/bin/tac | sed -n 's/^Rule=\(.* Count=0\)/\1/p')
if [ -n "$lst" ]
then
echo "$lst" | while read rule details
do
/sbin/iptables -D INPUT $rule
echo Clearing Rule=$rule $details
done
else
echo No Rules to clear
fi
getlist -Z
--
rgds
Stephen
More information about the CentOS
mailing list