iptree question

iptree question

[J. Bakshi]

Hello list,

I am opening this new thread as I am working in a new direction with
ipset ( as many of you suggested ).

The present rules I am using to auto blacklist ips is like below

````````````````````````````
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp --syn  -m hashlimit \
--hashlimit 4/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000 \
--hashlimit-mode srcip --hashlimit-name testlimit -j RETURN

# Drop bad IP and put then in blacklist
iptables -A syn-flood -m recent --name blacklist --set -j DROP
`````````````````````````````````

To manage the ips properly I like to save ips  in iptree which is an
option from ipset. Is there any way to migrate the ips from ipt_recent
to iptree ?

Or a new way as below  ?

```````````````````
ipset --create  blacklistIP   iptree --timeout 3600

iptables   -A PREROUTING    blacklistIP   -j DROP


iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp --syn  -m hashlimit \
--hashlimit 4/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000 \
--hashlimit-mode srcip --hashlimit-name testlimit -j RETURN

# Drop bad IP
iptables  -A  syn-flood  -j DROP

# save the src IP
ipset -N blacklistIP -j SET --add-set src
ipset -N blacklistIP -j syn-flood
``````````````````````

Am I on the right way ?

Re: iptree question

[Anatoly Muliarski]

2009/9/8, J. Bakshi <joydeep@infoservices.in>:
> Hello list,
>
> I am opening this new thread as I am working in a new direction with
> ipset ( as many of you suggested ).
>
> The present rules I am using to auto blacklist ips is like below
>
> ````````````````````````````
> iptables -N syn-flood
> iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
> iptables -A syn-flood -p tcp --syn  -m hashlimit \
> --hashlimit 4/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000 \
> --hashlimit-mode srcip --hashlimit-name testlimit -j RETURN
>
> # Drop bad IP and put then in blacklist
> iptables -A syn-flood -m recent --name blacklist --set -j DROP
> `````````````````````````````````
>
> To manage the ips properly I like to save ips  in iptree which is an
> option from ipset. Is there any way to migrate the ips from ipt_recent
> to iptree ?
>
> Or a new way as below  ?
>
> ```````````````````
> ipset --create  blacklistIP   iptree --timeout 3600
>
> iptables   -A PREROUTING    blacklistIP   -j DROP
>
>
> iptables -N syn-flood
> iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
> iptables -A syn-flood -p tcp --syn  -m hashlimit \
> --hashlimit 4/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000 \
> --hashlimit-mode srcip --hashlimit-name testlimit -j RETURN


Then you should insert the follow line:
iptables -A syn-flood -j SET --add-set blacklistIP src

>
> # Drop bad IP
> iptables  -A  syn-flood  -j DROP
>
> # save the src IP
> ipset -N blacklistIP -j SET --add-set src
> ipset -N blacklistIP -j syn-flood
> ``````````````````````
That is the wrong syntax. See above.

Remember, an IP in the blacklist will disappear in an hour after the
last adding into the set.

-- 
Best regards
Anatoly Muliarski

Re: iptree question

[J. Bakshi]

Anatoly Muliarski wrote:
> 2009/9/8, J. Bakshi <joydeep@infoservices.in>:
>   
>> Hello list,
>>
>> I am opening this new thread as I am working in a new direction with
>> ipset ( as many of you suggested ).
>>
>> The present rules I am using to auto blacklist ips is like below
>>
>> ````````````````````````````
>> iptables -N syn-flood
>> iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
>> iptables -A syn-flood -p tcp --syn  -m hashlimit \
>> --hashlimit 4/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000 \
>> --hashlimit-mode srcip --hashlimit-name testlimit -j RETURN
>>
>> # Drop bad IP and put then in blacklist
>> iptables -A syn-flood -m recent --name blacklist --set -j DROP
>> `````````````````````````````````
>>
>> To manage the ips properly I like to save ips  in iptree which is an
>> option from ipset. Is there any way to migrate the ips from ipt_recent
>> to iptree ?
>>
>> Or a new way as below  ?
>>
>> ```````````````````
>> ipset --create  blacklistIP   iptree --timeout 3600
>>
>> iptables   -A PREROUTING    blacklistIP   -j DROP
>>
>>
>> iptables -N syn-flood
>> iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
>> iptables -A syn-flood -p tcp --syn  -m hashlimit \
>> --hashlimit 4/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000 \
>> --hashlimit-mode srcip --hashlimit-name testlimit -j RETURN
>>     
>
>
> Then you should insert the follow line:
> iptables -A syn-flood -j SET --add-set blacklistIP src
>
>   
>> # Drop bad IP
>> iptables  -A  syn-flood  -j DROP
>>
>> # save the src IP
>> ipset -N blacklistIP -j SET --add-set src
>> ipset -N blacklistIP -j syn-flood
>> ``````````````````````
>>     
> That is the wrong syntax. See above.
>
> Remember, an IP in the blacklist will disappear in an hour after the
> last adding into the set.
>
>   

Hello Anatoly,

thanks a lot for your kind guidance to both of my emails. I like to
experiment with the codes as you suggest. But I have discovered that
ipset is not available in the suse 11 repo.  Hence I need to compile it
from the source or better if I found a .rpm for suse 11.

Thanks