onelesd
Reputation: 81
Block IP address which matches a rule
The following will drop packets which contain the string specified:
iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "[email protected]"
The string is one which a botnet spammer uses (from 1000's upon 1000's of ip addresses) to hammer my email servers constantly. This rule is somewhat effective, but doesn't stop the connections. I'd like it to -j DROP the IP as well after a match. Can I do this in iptables without going to userspace?
Upvotes: 2
Views: 556
Answers (1)
PaRa
Reputation: 21
This particular scanner always greet with EHLO 192.168.2.33. Use these rules to stop them:
iptables -t raw -A PREROUTING -i eth+ -p tcp --dport 25 -m string --string "192.168.2.33" --algo bm -m recent --set --name SBOT
iptables -I INPUT -i eth+ -p tcp --dport 25 -m recent --rcheck --name SBOT -j REJECT --reject-with tcp-reset
or maybe this will help :
iptables -A FORWARD -m string --algo bm --string "[email protected]" -j DROP
Upvotes: 2
Related Questions
- iptables configuration to allow specific IP addresses and block the rest
- How to block by ip with Apache
- Deny certain IP's
- block ip addresses that request a specific url
- How do you block ip addresses inside of apache dynamically?
- How can I block all IP's, but allow 1 server ip in .htaccess
- Blocking ip with htaccess
- How to block access to an IP via a specific port
- How can I drop packets matching the source URL
- IPTABLES How to block 8.8.8.8