iptables - how to create a rule that expires automatically

iptables - how to create a rule that expires automatically

[Colin Davis]

Hi,

Not sure if this is possible. I wish to create a rule that once created will
automatically expire (and be removed) after say 10 minutes.

Please

Many thanks,
Colin.

Re: iptables - how to create a rule that expires automatically

[Simon Gray]

Colin Davis wrote:
>
> Hi,
>
> Not sure if this is possible. I wish to create a rule that once 
> created will
> automatically expire (and be removed) after say 10 minutes.
Use cron

SG

Re: iptables - how to create a rule that expires automatically

[Ivan Petrushev]

I'm not sure if that can be done with the netfilter itself.
You could always get a script into crontab to check if the rule is
matched (iptables ... -L -n -v will show you number of packets matched
by the rule) and set up some sort of a timer.

Ivan

On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk> wrote:
>
> Hi,
>
> Not sure if this is possible. I wish to create a rule that once created will
> automatically expire (and be removed) after say 10 minutes.
>
> Please
>
> Many thanks,
> Colin.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: iptables - how to create a rule that expires automatically

[Colin Davis]

Thanks Ivan, I was hoping to be able to do this directly using a rule
without writing a script / using cron but looks like that's what I'm going
to have to do.

Colin.


Ivan Petrushev wrote:
> I'm not sure if that can be done with the netfilter itself.
> You could always get a script into crontab to check if the rule is
> matched (iptables ... -L -n -v will show you number of packets matched
> by the rule) and set up some sort of a timer.
>
> Ivan
>
> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk> wrote:
>   
>> Hi,
>>
>> Not sure if this is possible. I wish to create a rule that once created will
>> automatically expire (and be removed) after say 10 minutes.
>>
>> Please
>>
>> Many thanks,
>> Colin.
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>     

RE: iptables - how to create a rule that expires automatically

[Gilad Benjamini]

A script, possibly with crontab or at, is your best bet.
For some scenarios it might be easier to use the "condition" match, and have
your script change the proc value rather than the actual chain.


> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] On Behalf Of Colin Davis
> Sent: Thursday, February 19, 2009 9:11 AM
> To: netfilter@vger.kernel.org
> Subject: iptables - how to create a rule that expires automatically
> 
> 
> Hi,
> 
> Not sure if this is possible. I wish to create a rule that once created
> will
> automatically expire (and be removed) after say 10 minutes.
> 
> Please
> 
> Many thanks,
> Colin.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables - how to create a rule that expires automatically

[Peter Renzland]

I would write a simple script "ipoff NN" which takes the same  
arguments as iptables (after NN), converts -I and -A to -D, etc, and  
sleeps NN minutes before doing the cancel.

Then, after running the command that sets up the rule, I would just  
arrow up and change iptables to ipoff NN.
That would be *very usable*, IMHO.

(I most definitely would not use cron or at, since those tools do not  
naturally match the problem at all.)


Peter


On 09  Feb 19, at 12:42 , Colin Davis wrote:

>
> Thanks Ivan, I was hoping to be able to do this directly using a rule
> without writing a script / using cron but looks like that's what I'm  
> going
> to have to do.
>
> Colin.
>
>
> Ivan Petrushev wrote:
>> I'm not sure if that can be done with the netfilter itself.
>> You could always get a script into crontab to check if the rule is
>> matched (iptables ... -L -n -v will show you number of packets  
>> matched
>> by the rule) and set up some sort of a timer.
>>
>> Ivan
>>
>> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk>  
>> wrote:
>>
>>> Hi,
>>>
>>> Not sure if this is possible. I wish to create a rule that once  
>>> created will
>>> automatically expire (and be removed) after say 10 minutes.
>>>
>>> Please
>>>
>>> Many thanks,
>>> Colin.
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe  
>>> netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter"  
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: iptables - how to create a rule that expires automatically

[Colin Davis]

Thanks Peter, definitely pointed me in a better direction.

Colin.


Peter Renzland wrote:
> I would write a simple script "ipoff NN" which takes the same 
> arguments as iptables (after NN), converts -I and -A to -D, etc, and 
> sleeps NN minutes before doing the cancel.
>
> Then, after running the command that sets up the rule, I would just 
> arrow up and change iptables to ipoff NN.
> That would be *very usable*, IMHO.
>
> (I most definitely would not use cron or at, since those tools do not 
> naturally match the problem at all.)
>
>
> Peter
>
>
> On 09  Feb 19, at 12:42 , Colin Davis wrote:
>
>>
>> Thanks Ivan, I was hoping to be able to do this directly using a rule
>> without writing a script / using cron but looks like that's what I'm 
>> going
>> to have to do.
>>
>> Colin.
>>
>>
>> Ivan Petrushev wrote:
>>> I'm not sure if that can be done with the netfilter itself.
>>> You could always get a script into crontab to check if the rule is
>>> matched (iptables ... -L -n -v will show you number of packets matched
>>> by the rule) and set up some sort of a timer.
>>>
>>> Ivan
>>>
>>> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk> 
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Not sure if this is possible. I wish to create a rule that once 
>>>> created will
>>>> automatically expire (and be removed) after say 10 minutes.
>>>>
>>>> Please
>>>>
>>>> Many thanks,
>>>> Colin.
>>>> -- 
>>>> To unsubscribe from this list: send the line "unsubscribe 
>>>> netfilter" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>
>>>>
>>
>> -- 
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>

Re: iptables - how to create a rule that expires automatically

[Peter Renzland]

On second thought:

iptemp NN ...
where ... are the iptables arguments

or, if needed very occasionally, do it "by hand":

run the rule,
arrow up, append ")&", arrow left to ... change -I (etc) to -D (etc),  
prepend "(sleep nnn;"

Peter


On 09  Feb 19, at 12:56 , Peter Renzland wrote:

> I would write a simple script "ipoff NN" which takes the same  
> arguments as iptables (after NN), converts -I and -A to -D, etc, and  
> sleeps NN minutes before doing the cancel.
>
> Then, after running the command that sets up the rule, I would just  
> arrow up and change iptables to ipoff NN.
> That would be *very usable*, IMHO.
>
> (I most definitely would not use cron or at, since those tools do  
> not naturally match the problem at all.)
>
>
> Peter
>
>
> On 09  Feb 19, at 12:42 , Colin Davis wrote:
>
>>
>> Thanks Ivan, I was hoping to be able to do this directly using a rule
>> without writing a script / using cron but looks like that's what  
>> I'm going
>> to have to do.
>>
>> Colin.
>>
>>
>> Ivan Petrushev wrote:
>>> I'm not sure if that can be done with the netfilter itself.
>>> You could always get a script into crontab to check if the rule is
>>> matched (iptables ... -L -n -v will show you number of packets  
>>> matched
>>> by the rule) and set up some sort of a timer.
>>>
>>> Ivan
>>>
>>> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis  
>>> <col@colsmemory.co.uk> wrote:
>>>
>>>> Hi,
>>>>
>>>> Not sure if this is possible. I wish to create a rule that once  
>>>> created will
>>>> automatically expire (and be removed) after say 10 minutes.
>>>>
>>>> Please
>>>>
>>>> Many thanks,
>>>> Colin.
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe  
>>>> netfilter" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>
>>>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe  
>> netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter"  
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: iptables - how to create a rule that expires automatically

[Ivan Petrushev]

You will have a daemon hanging in background. If it happens to be
killed your rule will not be removed from iptables. Besides that it is
a nice solution, but I think cron plus a decent script does really
solves the problem fine.

On Thu, Feb 19, 2009 at 7:56 PM, Peter Renzland <peter@dancing.org> wrote:
> I would write a simple script "ipoff NN" which takes the same arguments as
> iptables (after NN), converts -I and -A to -D, etc, and sleeps NN minutes
> before doing the cancel.
>
> Then, after running the command that sets up the rule, I would just arrow up
> and change iptables to ipoff NN.
> That would be *very usable*, IMHO.
>
> (I most definitely would not use cron or at, since those tools do not
> naturally match the problem at all.)
>
>
> Peter
>
>
> On 09  Feb 19, at 12:42 , Colin Davis wrote:
>
>>
>> Thanks Ivan, I was hoping to be able to do this directly using a rule
>> without writing a script / using cron but looks like that's what I'm going
>> to have to do.
>>
>> Colin.
>>
>>
>> Ivan Petrushev wrote:
>>>
>>> I'm not sure if that can be done with the netfilter itself.
>>> You could always get a script into crontab to check if the rule is
>>> matched (iptables ... -L -n -v will show you number of packets matched
>>> by the rule) and set up some sort of a timer.
>>>
>>> Ivan
>>>
>>> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Not sure if this is possible. I wish to create a rule that once created
>>>> will
>>>> automatically expire (and be removed) after say 10 minutes.
>>>>
>>>> Please
>>>>
>>>> Many thanks,
>>>> Colin.
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>
>>>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

RE: iptables - how to create a rule that expires automatically

[Gilad Benjamini]

One thing to note is that you actually delete the exact same rule you added.
There is no built-in method to do that.
I can think of a few ideas how to verify that (with high probability, not
100%) but it really depends on the actual requirements.

> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] On Behalf Of Peter Renzland
> Sent: Thursday, February 19, 2009 9:57 AM
> To: Colin Davis
> Cc: netfilter@vger.kernel.org
> Subject: Re: iptables - how to create a rule that expires automatically
> 
> I would write a simple script "ipoff NN" which takes the same
> arguments as iptables (after NN), converts -I and -A to -D, etc, and
> sleeps NN minutes before doing the cancel.
> 
> Then, after running the command that sets up the rule, I would just
> arrow up and change iptables to ipoff NN.
> That would be *very usable*, IMHO.
> 
> (I most definitely would not use cron or at, since those tools do not
> naturally match the problem at all.)
> 
> 
> Peter
> 
> 
> On 09  Feb 19, at 12:42 , Colin Davis wrote:
> 
> >
> > Thanks Ivan, I was hoping to be able to do this directly using a rule
> > without writing a script / using cron but looks like that's what I'm
> > going
> > to have to do.
> >
> > Colin.
> >
> >
> > Ivan Petrushev wrote:
> >> I'm not sure if that can be done with the netfilter itself.
> >> You could always get a script into crontab to check if the rule is
> >> matched (iptables ... -L -n -v will show you number of packets
> >> matched
> >> by the rule) and set up some sort of a timer.
> >>
> >> Ivan
> >>
> >> On Thu, Feb 19, 2009 at 7:10 PM, Colin Davis <col@colsmemory.co.uk>
> >> wrote:
> >>
> >>> Hi,
> >>>
> >>> Not sure if this is possible. I wish to create a rule that once
> >>> created will
> >>> automatically expire (and be removed) after say 10 minutes.
> >>>
> >>> Please
> >>>
> >>> Many thanks,
> >>> Colin.
> >>> --
> >>> To unsubscribe from this list: send the line "unsubscribe
> >>> netfilter" in
> >>> the body of a message to majordomo@vger.kernel.org
> >>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>>
> >>>
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter"
> > in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables - how to create a rule that expires automatically

[G.W. Haywood]

Hi there,

On Thu, 19 Feb 2009, Colin Davis wrote:

> Not sure if this is possible. I wish to create a rule that once created will
> automatically expire (and be removed) after say 10 minutes.

You can do it with iptree, part of ipset.

--

73,
Ged.

Re: iptables - how to create a rule that expires automatically

[Mart Frauenlob]

netfilter-owner@vger.kernel.org wrote:
> Not sure if this is possible. I wish to create a rule that once 
> created will
> automatically expire (and be removed) after say 10 minutes.
>
> Please
>
> Many thanks,
> Colin.
>
Hello,

you did not tell much about your circumstances, but maybe worth taking a 
look at fail2ban:
http://www.fail2ban.org

As it's main goal seems to temporarily lock out certain hosts.

Greets

Mart

Re: iptables - how to create a rule that expires automatically

[Michael Schwartzkopff]

Am Freitag, 20. Februar 2009 10:01:37 schrieb Mart Frauenlob:
> netfilter-owner@vger.kernel.org wrote:
> > Not sure if this is possible. I wish to create a rule that once
> > created will
> > automatically expire (and be removed) after say 10 minutes.
> >
> > Please
> >
> > Many thanks,
> > Colin.
>
> Hello,
>
> you did not tell much about your circumstances, but maybe worth taking a
> look at fail2ban:
> http://www.fail2ban.org
>
> As it's main goal seems to temporarily lock out certain hosts.
>
> Greets
>
> Mart
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Or you could utilize the recent module. see man iptables for more info about 
recent.


-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: misch@multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42