[CentOS] Apache Changing IPtables C 5.6 via Apache

Stephen Harris lists at spuddy.org
Sun Aug 21 14:25:43 UTC 2011


On Sun, Aug 21, 2011 at 03:07:51PM +0100, Always Learning wrote:
> I could probably achieve this by having two temporary tables (for
> blocked IP addresses) and after a week or two delete the contents of one
> table and than at another interval delete the contents of the second
> table. This would provide a useful overlap and ensure an IP blocked
> today is not 'freed' tomorrow when a temporary table's contents are
> deleted.

What I do (for SMTP) is nightly check the rules for those that don't
have any packets associated with them, delete those, then reset the
count on the remainder.  This means that entries stay in the firewall
while they're still making attempts, but get removed a day after they've
stopped.

Code extracts:

getlist()
{
  /sbin/iptables --line-numbers -L INPUT -v$n $1 | awk '/dpt:25|dpt:smtp/ {printf("Rule=%d Count=%d source=%s\n", $1,$2,$9)}'
}

  lst=$(getlist | /usr/bin/tac | sed -n 's/^Rule=\(.* Count=0\)/\1/p')

  if [ -n "$lst" ]
  then
    echo "$lst" | while read rule details
    do
      /sbin/iptables -D INPUT $rule
      echo Clearing Rule=$rule $details
    done
  else
    echo No Rules to clear
  fi

  getlist -Z

-- 

rgds
Stephen



More information about the CentOS mailing list