2002-03-07 18:52:47+0100, Martin MAURER <[EMAIL PROTECTED]> -> > On Thu, 2002-03-07 at 14:37, Gozem wrote: > > 2002-03-07 11:36:07+0100, Martin MAURER <[EMAIL PROTECTED]> -> > > > Dear developers, > > > > > > I am currently developing an iptables/ip_queue based interactive > > > firewall tool like those available on M$-Windows (tiny-firewall, ...) > > > Recently I discussed a little bit with a friend about a feature which > > > would be very nice to have in such a tool: timeouting rules. I think of > > > the following situation: Somebody is portscanning my machine. For > > > security reasons I want to block his access, but of course not forever. > > > So it would be nice if I could do something like: > > > iptables -A INPUT -s his.ip.address -timeout a_unix_timestamp -j DROP > > > so that this firewall rule is deleted automatically at the given time. > > > Of course it would also be possible, to implement this faeture as a part > > > of my tool, but I thought maybe it would be an useful extension to > > > netfilter itself. > > > I personally do not know a lot about netfilter internals, and so I can't > > > say if this would be easy/possible to implement. > > > > > > > That feature will be available in ippool coming soon. You can add IPs to a > > pool with the pooltype that removes its IP after X seconds. > > > > Example: > > iptables -A chain -m pool --pool badboys -j DROP > > iptables -A chain -m match -j POOL --pool badboys --add-src-ip > I haven't found any documentation to ippool, so I am asking you this > way: Am I right, that ippool only works with matching by ip? (so i > wouldn't be able to allow my port 22 for the next 2 hours or something > like this ?) > I just want to keep my tool as flexible as possible and i am searching > for the optimal solution :) >
No u can see the pool as a variable for the -d (dest ip) and/or -s (source ip). You can't find any doc about ippool beacuse the new version isn't entirly finished. It will be sent in in about a week. -- /Gozem A.K.A. Joakim Axelsson
