[ic] IC not responding

Jon Jensen jon at endpoint.com
Tue Nov 15 20:39:33 EST 2005


On Tue, 15 Nov 2005, John1 wrote:

> In the meantime, I would like to implement the Interchange lockout option 
> immediately.  I have only just realised that although I have defined a 
> "RobotLimit 100" I have not defined a lockout command, so bad robots are not 
> actually being locked out.
>
> I am not up on iptables, but from what I can see the lockout command I should 
> use is:
>
> iptables -I INPUT -s %s -j DROP
>
> Is this correct?
>
> The problem I see with this is that the IP address is then *permanently* 
> locked out.  What is the best way to lockout IP addresses for a given 
> timeframe, and then let them back in again?

I've done something like this. Add this chain to your iptables ruleset, 
after your rules to allow local connections, established connections, 
etc., but before your final drop rules:

     -N dynamic_ip
     -A INPUT -j dynamic_ip

Then use a rule such as you described above:

     iptables -A dynamic_ip -s $the_ip -j DROP

That allows you to segregate your temporary blacklist into its own table 
(dynamic_ip), and put it wherever you want in your ruleset.

Then, whenever you want to purge it, you can do:

     iptables -F dynamic_ip

That doesn't distinguish between newer and older additions, so if you care 
about that you'd have to figure out some way to deal with it.

Jon

--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
Software development with Interchange, Perl, PostgreSQL, Apache, Linux, ...


More information about the interchange-users mailing list