Quote:
Originally Posted by estabroo
Instead of having recent do the drop directly instead send it to another section where it does a log then drop.
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOG_THEN_DROP
iptables -A LOG_THEN_DROP -j LOG --log-level 7 --log-prefix "recent drop:"
iptables -A LOG_THEN_DROP -j DROP
|
Thanks I actually log on that way, but also I log a thousands of other (new)connections (audit) ... I mean, I have daily log of 2 or 3 GB so, I want to get the instant information about who ones are blocked at this moment.-
I'll put that I have right now!
Code:
iptables -A FORWARD -p tcp --syn --dport 25 -m state --state NEW,INVALID -m recent --name MadMail --set
iptables -A FORWARD -p tcp --syn --dport 25 -m state --state NEW,INVALID -m recent --seconds 20 --hitcount 5 --name MadMail --rcheck -j LOG --log-prefix "Blocked Mail--> "
iptables -A FORWARD -p tcp --syn --dport 25 -m state --state NEW,INVALID -m recent --seconds 20 --hitcount 5 --name MadMail --update -j REJECT
Has I say before (but edited, who know why) Mod Recent put every single IP on the file "/proc/net/ipt_recent/MadMail" and upgrade only the "last seen" by some "machine_time" (or tic time) so, it is very hard to find who is blocked on a "right_now" query...
Any ideas? this may help to someone else to.
My log file is a really big file (take about half hour to compress every day) may you can provide a way to get the last 20 seconds and take off the blocked IPs of this file (grep, awk, sed etc. I know in some way how to work with this, but the last n seconds go far from my aknlge.)
Again thanks.