[ic] IC not responding

Sandy Thomson sandy at scotwebshops.com
Thu Nov 17 09:56:08 EST 2005


Peter wrote:

> Try something like (off the top of my head, untested):
>
> iptables -I INPUT -s %s -j DROP; echo 'iptables -D INPUT -s %s -j 
> DROP' | at now + 1 hours


Thats pretty neat, I have never heard of the at command.  Surely if you 
were being hammered by multiple IP's, that would leave loads of at 
processes hanging around?

On another note I dont think you should let interchange have clear 
access to iptables for fairly obvious reasons, you can configure sudo to 
allow access to a command with limited arguments (i.e something like  
iptables -I INPUT -s (\d*.\d*.\d*.\d*)/32 -j DROP; to limit access) so 
the interchange user can't do things like  iptables -I INPUT -s 
0.0.0.0/0 -j DROP. An even better solution would be to use something 
like grsecurity, which I am planning to tinker with in the near future.


More information about the interchange-users mailing list