# creates a new chain, blacklistdrop, which will log, update ip in the BLACKLIST and drop packet
sudo iptables -N blacklistdrop
sudo iptables -A blacklistdrop -j LOG --log-prefix "Adding to BLACKLIST: "
sudo iptables -A blacklistdrop -m recent --name BLACKLIST --set -j DROP
# A packet is from a host that has been seen in BLACKLIST in the last 120 seconds, the this rule updates the BLACKLIST and the packet is dropped.
sudo iptables -A INPUT -m recent --name BLACKLIST --update --seconds 120 -j DROP
# If a packet is from a host that is already in ZAA_URL list and exceeding limits the this rule forwards packet to blacklistdrop list to be blacklisted and then to be dropped
sudo iptables -A INPUT -i eth0 -p tcp --dport 80 --match string --string "zaa.html" --algo kmp --match recent --update --name ZAA_URL --seconds 30 --hitcount 2 -j blacklistdrop
# If a packet is from a host playing good so far, add to "ZAA_URL" list and accept
sudo iptables -A INPUT -i eth0 -p tcp --dport 80 --match string --string "zaa.html" --algo kmp --match recent --set --name ZAA_URL -j ACCEPT
cat /proc/net/xt_recent/BLACKLIST
sudo sh -c 'echo "-127.0.0.1" >> /proc/net/xt_recent/blacklist'
sudo sh -c 'echo "+127.0.0.1" >> /proc/net/xt_recent/blacklist'
Put commands to reset iptables config into a file resetiptables.s
then link it to global console context
... and no, there is no shorthand iptables command to reset all config at once because fuck you :/
sudo /opt/resetiptables.sh
# write content to file, save, exit
sudo chmod +x resetiptables.sh
sudo ln -sf /opt/resetiptables.sh /usr/local/bin/resetiptables
content:
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
cd /etc/rsyslog.d/
sudo nano 50-xscores.conf
# write following 2 rows into the new file, save, exit
:msg, contains, "Adding to BLACKLIST" /var/log/xscores.log
:msg, contains, "Adding to BLACKLIST" ~
sudo service rsyslog restart
about 50-xscores.conf
- first line redirects messages to the specified file
- second line prevents mesages to be written to the default log file but it seems to be not working in Ubuntu and you can observe the same messages in your own file as well as
dmesg
- the prefix
50-
is probably something to do with config priority, I don't know, it works like this so don't care