* Martin MAURER ([EMAIL PROTECTED]) wrote: > I am currently developing an iptables/ip_queue based interactive > firewall tool like those available on M$-Windows (tiny-firewall, ...) > Recently I discussed a little bit with a friend about a feature which > would be very nice to have in such a tool: timeouting rules. I think of > the following situation: Somebody is portscanning my machine. For > security reasons I want to block his access, but of course not forever. > So it would be nice if I could do something like: > iptables -A INPUT -s his.ip.address -timeout a_unix_timestamp -j DROP > so that this firewall rule is deleted automatically at the given time. > Of course it would also be possible, to implement this faeture as a part > of my tool, but I thought maybe it would be an useful extension to > netfilter itself. > I personally do not know a lot about netfilter internals, and so I can't > say if this would be easy/possible to implement.
iptables can do what you're asking through the ipt_recent module
available in patch-o-matic. It's not perfect and I'm still working out
some kinks but in general it works for me. I'm rewriting the IP lookup
to use a hash-based algorithm instead of a linear search due to some
interest in having the 'recent' table be larger. I'll submit a new
patch once that's done. Unfortunately I don't know of a way to do a
generic timeout on a rule yet, though I think it might be possible to
add that ability as a module but it wouldn't be dynamically updating
like ipt_recent can do.
Stephen
msg00162/pgp00000.pgp
Description: PGP signature
