* iptables - how to create a rule that expires automatically
@ 2009-02-19 17:10 Colin Davis
2009-02-19 17:32 ` Simon Gray
` (4 more replies)
0 siblings, 5 replies; 13+ messages in thread
From: Colin Davis @ 2009-02-19 17:10 UTC (permalink / raw)
To: netfilter
Hi,
Not sure if this is possible. I wish to create a rule that once created will
automatically expire (and be removed) after say 10 minutes.
Please
Many thanks,
Colin.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: iptables - how to create a rule that expires automatically 2009-02-19 17:10 iptables - how to create a rule that expires automatically Colin Davis @ 2009-02-19 17:32 ` Simon Gray 2009-02-19 17:36 ` Ivan Petrushev ` (3 subsequent siblings) 4 siblings, 0 replies; 13+ messages in thread From: Simon Gray @ 2009-02-19 17:32 UTC (permalink / raw) To: Colin Davis; +Cc: netfilter Colin Davis wrote: > > Hi, > > Not sure if this is possible. I wish to create a rule that once > created will > automatically expire (and be removed) after say 10 minutes. Use cron SG ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: iptables - how to create a rule that expires automatically 2009-02-19 17:10 iptables - how to create a rule that expires automatically Colin Davis 2009-02-19 17:32 ` Simon Gray @ 2009-02-19 17:36 ` Ivan Petrushev 2009-02-19 17:42 ` Colin Davis 2009-02-19 17:48 ` Gilad Benjamini ` (2 subsequent siblings) 4 siblings, 1 reply; 13+ messages in thread From: Ivan Petrushev @ 2009-02-19 17:36 UTC (permalink / raw) To: Colin Davis; +Cc: netfilter I'm not sure if that can be done with the netfilter itself. You could always get a script into crontab to check if the rule is matched (iptables ... -L -n -v will show you number of packets matched by the rule) and set up some sort of a timer. Ivan On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk> wrote: > > Hi, > > Not sure if this is possible. I wish to create a rule that once created will > automatically expire (and be removed) after say 10 minutes. > > Please > > Many thanks, > Colin. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: iptables - how to create a rule that expires automatically 2009-02-19 17:36 ` Ivan Petrushev @ 2009-02-19 17:42 ` Colin Davis 2009-02-19 17:56 ` Peter Renzland 0 siblings, 1 reply; 13+ messages in thread From: Colin Davis @ 2009-02-19 17:42 UTC (permalink / raw) To: Ivan Petrushev; +Cc: netfilter Thanks Ivan, I was hoping to be able to do this directly using a rule without writing a script / using cron but looks like that's what I'm going to have to do. Colin. Ivan Petrushev wrote: > I'm not sure if that can be done with the netfilter itself. > You could always get a script into crontab to check if the rule is > matched (iptables ... -L -n -v will show you number of packets matched > by the rule) and set up some sort of a timer. > > Ivan > > On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk> wrote: > >> Hi, >> >> Not sure if this is possible. I wish to create a rule that once created will >> automatically expire (and be removed) after say 10 minutes. >> >> Please >> >> Many thanks, >> Colin. >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> >> ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: iptables - how to create a rule that expires automatically 2009-02-19 17:42 ` Colin Davis @ 2009-02-19 17:56 ` Peter Renzland 2009-02-19 18:14 ` Colin Davis ` (3 more replies) 0 siblings, 4 replies; 13+ messages in thread From: Peter Renzland @ 2009-02-19 17:56 UTC (permalink / raw) To: Colin Davis; +Cc: netfilter I would write a simple script "ipoff NN" which takes the same arguments as iptables (after NN), converts -I and -A to -D, etc, and sleeps NN minutes before doing the cancel. Then, after running the command that sets up the rule, I would just arrow up and change iptables to ipoff NN. That would be *very usable*, IMHO. (I most definitely would not use cron or at, since those tools do not naturally match the problem at all.) Peter On 09 Feb 19, at 12:42 , Colin Davis wrote: > > Thanks Ivan, I was hoping to be able to do this directly using a rule > without writing a script / using cron but looks like that's what I'm > going > to have to do. > > Colin. > > > Ivan Petrushev wrote: >> I'm not sure if that can be done with the netfilter itself. >> You could always get a script into crontab to check if the rule is >> matched (iptables ... -L -n -v will show you number of packets >> matched >> by the rule) and set up some sort of a timer. >> >> Ivan >> >> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk> >> wrote: >> >>> Hi, >>> >>> Not sure if this is possible. I wish to create a rule that once >>> created will >>> automatically expire (and be removed) after say 10 minutes. >>> >>> Please >>> >>> Many thanks, >>> Colin. >>> -- >>> To unsubscribe from this list: send the line "unsubscribe >>> netfilter" in >>> the body of a message to majordomo@vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >>> > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" > in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: iptables - how to create a rule that expires automatically 2009-02-19 17:56 ` Peter Renzland @ 2009-02-19 18:14 ` Colin Davis 2009-02-19 18:15 ` Peter Renzland ` (2 subsequent siblings) 3 siblings, 0 replies; 13+ messages in thread From: Colin Davis @ 2009-02-19 18:14 UTC (permalink / raw) To: Peter Renzland; +Cc: netfilter Thanks Peter, definitely pointed me in a better direction. Colin. Peter Renzland wrote: > I would write a simple script "ipoff NN" which takes the same > arguments as iptables (after NN), converts -I and -A to -D, etc, and > sleeps NN minutes before doing the cancel. > > Then, after running the command that sets up the rule, I would just > arrow up and change iptables to ipoff NN. > That would be *very usable*, IMHO. > > (I most definitely would not use cron or at, since those tools do not > naturally match the problem at all.) > > > Peter > > > On 09 Feb 19, at 12:42 , Colin Davis wrote: > >> >> Thanks Ivan, I was hoping to be able to do this directly using a rule >> without writing a script / using cron but looks like that's what I'm >> going >> to have to do. >> >> Colin. >> >> >> Ivan Petrushev wrote: >>> I'm not sure if that can be done with the netfilter itself. >>> You could always get a script into crontab to check if the rule is >>> matched (iptables ... -L -n -v will show you number of packets matched >>> by the rule) and set up some sort of a timer. >>> >>> Ivan >>> >>> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk> >>> wrote: >>> >>>> Hi, >>>> >>>> Not sure if this is possible. I wish to create a rule that once >>>> created will >>>> automatically expire (and be removed) after say 10 minutes. >>>> >>>> Please >>>> >>>> Many thanks, >>>> Colin. >>>> -- >>>> To unsubscribe from this list: send the line "unsubscribe >>>> netfilter" in >>>> the body of a message to majordomo@vger.kernel.org >>>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>>> >>>> >> >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: iptables - how to create a rule that expires automatically 2009-02-19 17:56 ` Peter Renzland 2009-02-19 18:14 ` Colin Davis @ 2009-02-19 18:15 ` Peter Renzland 2009-02-19 18:17 ` Ivan Petrushev 2009-02-19 18:18 ` Gilad Benjamini 3 siblings, 0 replies; 13+ messages in thread From: Peter Renzland @ 2009-02-19 18:15 UTC (permalink / raw) To: Colin Davis, netfilter On second thought: iptemp NN ... where ... are the iptables arguments or, if needed very occasionally, do it "by hand": run the rule, arrow up, append ")&", arrow left to ... change -I (etc) to -D (etc), prepend "(sleep nnn;" Peter On 09 Feb 19, at 12:56 , Peter Renzland wrote: > I would write a simple script "ipoff NN" which takes the same > arguments as iptables (after NN), converts -I and -A to -D, etc, and > sleeps NN minutes before doing the cancel. > > Then, after running the command that sets up the rule, I would just > arrow up and change iptables to ipoff NN. > That would be *very usable*, IMHO. > > (I most definitely would not use cron or at, since those tools do > not naturally match the problem at all.) > > > Peter > > > On 09 Feb 19, at 12:42 , Colin Davis wrote: > >> >> Thanks Ivan, I was hoping to be able to do this directly using a rule >> without writing a script / using cron but looks like that's what >> I'm going >> to have to do. >> >> Colin. >> >> >> Ivan Petrushev wrote: >>> I'm not sure if that can be done with the netfilter itself. >>> You could always get a script into crontab to check if the rule is >>> matched (iptables ... -L -n -v will show you number of packets >>> matched >>> by the rule) and set up some sort of a timer. >>> >>> Ivan >>> >>> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis >>> <col@colsmemory.co.uk> wrote: >>> >>>> Hi, >>>> >>>> Not sure if this is possible. I wish to create a rule that once >>>> created will >>>> automatically expire (and be removed) after say 10 minutes. >>>> >>>> Please >>>> >>>> Many thanks, >>>> Colin. >>>> -- >>>> To unsubscribe from this list: send the line "unsubscribe >>>> netfilter" in >>>> the body of a message to majordomo@vger.kernel.org >>>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>>> >>>> >> >> -- >> To unsubscribe from this list: send the line "unsubscribe >> netfilter" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" > in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: iptables - how to create a rule that expires automatically 2009-02-19 17:56 ` Peter Renzland 2009-02-19 18:14 ` Colin Davis 2009-02-19 18:15 ` Peter Renzland @ 2009-02-19 18:17 ` Ivan Petrushev 2009-02-19 18:18 ` Gilad Benjamini 3 siblings, 0 replies; 13+ messages in thread From: Ivan Petrushev @ 2009-02-19 18:17 UTC (permalink / raw) To: Peter Renzland; +Cc: Colin Davis, netfilter You will have a daemon hanging in background. If it happens to be killed your rule will not be removed from iptables. Besides that it is a nice solution, but I think cron plus a decent script does really solves the problem fine. On Thu, Feb 19, 2009 at 7:56 PM, Peter Renzland <peter@dancing.org> wrote: > I would write a simple script "ipoff NN" which takes the same arguments as > iptables (after NN), converts -I and -A to -D, etc, and sleeps NN minutes > before doing the cancel. > > Then, after running the command that sets up the rule, I would just arrow up > and change iptables to ipoff NN. > That would be *very usable*, IMHO. > > (I most definitely would not use cron or at, since those tools do not > naturally match the problem at all.) > > > Peter > > > On 09 Feb 19, at 12:42 , Colin Davis wrote: > >> >> Thanks Ivan, I was hoping to be able to do this directly using a rule >> without writing a script / using cron but looks like that's what I'm going >> to have to do. >> >> Colin. >> >> >> Ivan Petrushev wrote: >>> >>> I'm not sure if that can be done with the netfilter itself. >>> You could always get a script into crontab to check if the rule is >>> matched (iptables ... -L -n -v will show you number of packets matched >>> by the rule) and set up some sort of a timer. >>> >>> Ivan >>> >>> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk> >>> wrote: >>> >>>> Hi, >>>> >>>> Not sure if this is possible. I wish to create a rule that once created >>>> will >>>> automatically expire (and be removed) after say 10 minutes. >>>> >>>> Please >>>> >>>> Many thanks, >>>> Colin. >>>> -- >>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in >>>> the body of a message to majordomo@vger.kernel.org >>>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>>> >>>> >> >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 13+ messages in thread
* RE: iptables - how to create a rule that expires automatically 2009-02-19 17:56 ` Peter Renzland ` (2 preceding siblings ...) 2009-02-19 18:17 ` Ivan Petrushev @ 2009-02-19 18:18 ` Gilad Benjamini 3 siblings, 0 replies; 13+ messages in thread From: Gilad Benjamini @ 2009-02-19 18:18 UTC (permalink / raw) To: netfilter One thing to note is that you actually delete the exact same rule you added. There is no built-in method to do that. I can think of a few ideas how to verify that (with high probability, not 100%) but it really depends on the actual requirements. > -----Original Message----- > From: netfilter-owner@vger.kernel.org [mailto:netfilter- > owner@vger.kernel.org] On Behalf Of Peter Renzland > Sent: Thursday, February 19, 2009 9:57 AM > To: Colin Davis > Cc: netfilter@vger.kernel.org > Subject: Re: iptables - how to create a rule that expires automatically > > I would write a simple script "ipoff NN" which takes the same > arguments as iptables (after NN), converts -I and -A to -D, etc, and > sleeps NN minutes before doing the cancel. > > Then, after running the command that sets up the rule, I would just > arrow up and change iptables to ipoff NN. > That would be *very usable*, IMHO. > > (I most definitely would not use cron or at, since those tools do not > naturally match the problem at all.) > > > Peter > > > On 09 Feb 19, at 12:42 , Colin Davis wrote: > > > > > Thanks Ivan, I was hoping to be able to do this directly using a rule > > without writing a script / using cron but looks like that's what I'm > > going > > to have to do. > > > > Colin. > > > > > > Ivan Petrushev wrote: > >> I'm not sure if that can be done with the netfilter itself. > >> You could always get a script into crontab to check if the rule is > >> matched (iptables ... -L -n -v will show you number of packets > >> matched > >> by the rule) and set up some sort of a timer. > >> > >> Ivan > >> > >> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk> > >> wrote: > >> > >>> Hi, > >>> > >>> Not sure if this is possible. I wish to create a rule that once > >>> created will > >>> automatically expire (and be removed) after say 10 minutes. > >>> > >>> Please > >>> > >>> Many thanks, > >>> Colin. > >>> -- > >>> To unsubscribe from this list: send the line "unsubscribe > >>> netfilter" in > >>> the body of a message to majordomo@vger.kernel.org > >>> More majordomo info at http://vger.kernel.org/majordomo-info.html > >>> > >>> > > > > -- > > To unsubscribe from this list: send the line "unsubscribe netfilter" > > in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 13+ messages in thread
* RE: iptables - how to create a rule that expires automatically 2009-02-19 17:10 iptables - how to create a rule that expires automatically Colin Davis 2009-02-19 17:32 ` Simon Gray 2009-02-19 17:36 ` Ivan Petrushev @ 2009-02-19 17:48 ` Gilad Benjamini 2009-02-19 18:36 ` G.W. Haywood 2009-02-20 9:01 ` Mart Frauenlob 4 siblings, 0 replies; 13+ messages in thread From: Gilad Benjamini @ 2009-02-19 17:48 UTC (permalink / raw) To: 'Colin Davis', netfilter A script, possibly with crontab or at, is your best bet. For some scenarios it might be easier to use the "condition" match, and have your script change the proc value rather than the actual chain. > -----Original Message----- > From: netfilter-owner@vger.kernel.org [mailto:netfilter- > owner@vger.kernel.org] On Behalf Of Colin Davis > Sent: Thursday, February 19, 2009 9:11 AM > To: netfilter@vger.kernel.org > Subject: iptables - how to create a rule that expires automatically > > > Hi, > > Not sure if this is possible. I wish to create a rule that once created > will > automatically expire (and be removed) after say 10 minutes. > > Please > > Many thanks, > Colin. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: iptables - how to create a rule that expires automatically 2009-02-19 17:10 iptables - how to create a rule that expires automatically Colin Davis ` (2 preceding siblings ...) 2009-02-19 17:48 ` Gilad Benjamini @ 2009-02-19 18:36 ` G.W. Haywood 2009-02-20 9:01 ` Mart Frauenlob 4 siblings, 0 replies; 13+ messages in thread From: G.W. Haywood @ 2009-02-19 18:36 UTC (permalink / raw) To: Colin Davis; +Cc: netfilter Hi there, On Thu, 19 Feb 2009, Colin Davis wrote: > Not sure if this is possible. I wish to create a rule that once created will > automatically expire (and be removed) after say 10 minutes. You can do it with iptree, part of ipset. -- 73, Ged. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: iptables - how to create a rule that expires automatically 2009-02-19 17:10 iptables - how to create a rule that expires automatically Colin Davis ` (3 preceding siblings ...) 2009-02-19 18:36 ` G.W. Haywood @ 2009-02-20 9:01 ` Mart Frauenlob 2009-02-20 9:16 ` Michael Schwartzkopff 4 siblings, 1 reply; 13+ messages in thread From: Mart Frauenlob @ 2009-02-20 9:01 UTC (permalink / raw) To: netfilter netfilter-owner@vger.kernel.org wrote: > Not sure if this is possible. I wish to create a rule that once > created will > automatically expire (and be removed) after say 10 minutes. > > Please > > Many thanks, > Colin. > Hello, you did not tell much about your circumstances, but maybe worth taking a look at fail2ban: http://www.fail2ban.org As it's main goal seems to temporarily lock out certain hosts. Greets Mart ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: iptables - how to create a rule that expires automatically 2009-02-20 9:01 ` Mart Frauenlob @ 2009-02-20 9:16 ` Michael Schwartzkopff 0 siblings, 0 replies; 13+ messages in thread From: Michael Schwartzkopff @ 2009-02-20 9:16 UTC (permalink / raw) To: netfilter Am Freitag, 20. Februar 2009 10:01:37 schrieb Mart Frauenlob: > netfilter-owner@vger.kernel.org wrote: > > Not sure if this is possible. I wish to create a rule that once > > created will > > automatically expire (and be removed) after say 10 minutes. > > > > Please > > > > Many thanks, > > Colin. > > Hello, > > you did not tell much about your circumstances, but maybe worth taking a > look at fail2ban: > http://www.fail2ban.org > > As it's main goal seems to temporarily lock out certain hosts. > > Greets > > Mart > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html Or you could utilize the recent module. see man iptables for more info about recent. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: misch@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2009-02-20 9:16 UTC | newest] Thread overview: 13+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-02-19 17:10 iptables - how to create a rule that expires automatically Colin Davis 2009-02-19 17:32 ` Simon Gray 2009-02-19 17:36 ` Ivan Petrushev 2009-02-19 17:42 ` Colin Davis 2009-02-19 17:56 ` Peter Renzland 2009-02-19 18:14 ` Colin Davis 2009-02-19 18:15 ` Peter Renzland 2009-02-19 18:17 ` Ivan Petrushev 2009-02-19 18:18 ` Gilad Benjamini 2009-02-19 17:48 ` Gilad Benjamini 2009-02-19 18:36 ` G.W. Haywood 2009-02-20 9:01 ` Mart Frauenlob 2009-02-20 9:16 ` Michael Schwartzkopff
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox