[CentOS] Apache Changing IPtables C 5.6 via Apache
Stephen Harris
lists at spuddy.orgSun Aug 21 14:25:43 UTC 2011
- Previous message: [CentOS] Apache Changing IPtables C 5.6 via Apache
- Next message: [CentOS] Apache Changing IPtables C 5.6 via Apache
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, Aug 21, 2011 at 03:07:51PM +0100, Always Learning wrote:
> I could probably achieve this by having two temporary tables (for
> blocked IP addresses) and after a week or two delete the contents of one
> table and than at another interval delete the contents of the second
> table. This would provide a useful overlap and ensure an IP blocked
> today is not 'freed' tomorrow when a temporary table's contents are
> deleted.
What I do (for SMTP) is nightly check the rules for those that don't
have any packets associated with them, delete those, then reset the
count on the remainder. This means that entries stay in the firewall
while they're still making attempts, but get removed a day after they've
stopped.
Code extracts:
getlist()
{
/sbin/iptables --line-numbers -L INPUT -v$n $1 | awk '/dpt:25|dpt:smtp/ {printf("Rule=%d Count=%d source=%s\n", $1,$2,$9)}'
}
lst=$(getlist | /usr/bin/tac | sed -n 's/^Rule=\(.* Count=0\)/\1/p')
if [ -n "$lst" ]
then
echo "$lst" | while read rule details
do
/sbin/iptables -D INPUT $rule
echo Clearing Rule=$rule $details
done
else
echo No Rules to clear
fi
getlist -Z
--
rgds
Stephen
- Previous message: [CentOS] Apache Changing IPtables C 5.6 via Apache
- Next message: [CentOS] Apache Changing IPtables C 5.6 via Apache
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list