1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
@pre "ipset -exist create blackhole hash:ip timeout 600";
@post "ipset flush blackhole";

table filter {
    chain INPUT {
        policy DROP;
        
        proto all {
            mod set set blackhole src DROP;
        }
        proto tcp {
            dport ssh @subchain SSH-ALL {
                mod recent name SSH {
                    set NOP;
                    update seconds 180 hitcount 8 @subchain SSH-BLOCKED {
                        ULOG log-prefix "Blocked SSH Event per rule $LINE: " ulog-nlgroup 1;
                        SET add-set blackhole src;
                        DROP;
                    }
                ACCEPT;
            }
        }
    }
}