2002-03-07 11:36:07+0100, Martin MAURER <[EMAIL PROTECTED]> -> > Dear developers, > > I am currently developing an iptables/ip_queue based interactive > firewall tool like those available on M$-Windows (tiny-firewall, ...) > Recently I discussed a little bit with a friend about a feature which > would be very nice to have in such a tool: timeouting rules. I think of > the following situation: Somebody is portscanning my machine. For > security reasons I want to block his access, but of course not forever. > So it would be nice if I could do something like: > iptables -A INPUT -s his.ip.address -timeout a_unix_timestamp -j DROP > so that this firewall rule is deleted automatically at the given time. > Of course it would also be possible, to implement this faeture as a part > of my tool, but I thought maybe it would be an useful extension to > netfilter itself. > I personally do not know a lot about netfilter internals, and so I can't > say if this would be easy/possible to implement. >
That feature will be available in ippool coming soon. You can add IPs to a pool with the pooltype that removes its IP after X seconds. Example: iptables -A chain -m pool --pool badboys -j DROP iptables -A chain -m match -j POOL --pool badboys --add-src-ip -- /Gozem A.K.A. Joakim Axelsson
