I have simple ipset map to track suspicious ips.
These my commands:
ipset flush
ipset -q destroy banlists
ipset create banlists hash:ip comment family inet hashsize 2048 maxelem 1048576 timeout 300
And i tell iptables to drop if matched in ipset:
iptables -I INPUT 1 -m set -j DROP --match-set banlists src
iptables -I FORWARD 1 -m set -j DROP --match-set banlists src
It's works but i want to
- all port must be drop
- exclude port 80 and 443
- rate limit matched ipset to prevent ddos but accecible
If you want to allow ports 80 and 443, you can add one more rule for
INPUTchain:and one more rule for
FORWARDchain:The previous rules will allow access to ports 80 and 443 for all IPs. To apply rate limit on banlists ipset, you can use:
An easier way (IMO) is to use
-Aswitch instead of-I. Of course, you need to review the complete ruleset to make sure it is setup as required (rules are inspected in order). This way the rules appear in the normal sequence as they are written:The same rules need to be applied to
FORWARDchain. You can customize therecentmodule parameters as needed, namely thehitcountandseconds.