i have used the following rules, to block port-scanners for 24 hours, and unblock scanner ip address after 24 hour, and log the attacker ip address.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A INPUT -m recent --name portscan --remove iptables -A FORWARD -m recent --name portscan --remove
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
everything works fine,and the scanner ip address is getting blocked by iptables. but i am not able to find the blocked ip in any of iptables chains. Scanner ip is only getting logged in the kernel.log file, and i looking for a possible way to remove a single ip instead of re-starting iptables itself.
The recent module does not create new rules for each offender that you can query with with Iptables. It simply maintains the list of offenders in memory
http://ipset.netfilter.org/iptables-extensions.man.html#lbBW
to add
addrto the DEFAULT listto remove
addrfrom the DEFAULT listto flush the DEFAULT list (remove all entries)