<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Well... you really should take this to the Ubuntu iptables; Start there and they may be able to give you a better mail list that deals specifically with iptables:
<div class=""><a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-users" class="">https://lists.ubuntu.com/mailman/listinfo/ubuntu-users</a></div>
<div class=""><br class="">
</div>
<div class="">Having said that you don't necessarily need to use the iptables-extensions --rsource option, you can just use --limit which is in the standard iptables. This is a debian example but works for any iptables based system:</div>
<div class=""><a href="https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections" class="">https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections</a></div>
<div class=""><br class="">
</div>
<div class="">However, I digress, back to the topic at hand, doing this, is going to send the users client (based on the client) into a tif. It's going to assume the server has gone down and warn the user about a lost connection, I imaging a user who is unwilling
to change his pop interval is going to be even more pissed at having his client pop up with connection lost messages. </div>
<div class=""><br class="">
</div>
<div class="">IMHO it would be far more professional to first implement a rule change (update their agreement, or make a corporate policy change) than inform users not following those policies/agreements that if they don't comply their accounts will be disabled.
This is not only good corporate governance but it is also non-discriminatory, which means the offending user is far less likely to be mad, and far more embarrassed that it had to come to this.</div>
<div class=""><br class="">
</div>
<div class="">Doing what your trying to do, is going to make it look like your servers are not working. The user may not understand why every so often the client complains that the connection to the server is not working, and in fact may result in breach of
contract/policy if no previous policy/agreement has been put into place regarding the issue.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Dec 23, 2016, at 5:06 AM, Marcus Schopen via Info-cyrus <<a href="mailto:info-cyrus@lists.andrew.cmu.edu" class="">info-cyrus@lists.andrew.cmu.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">Hi Bron,<br class="">
<br class="">
I have a user, who logs in every 3 seconds(!) to pop3s with 20 accounts,<br class="">
completely resistent to change his pop interval. I'd like to limit him<br class="">
in the way to allow 20 new connections within 5 minutes, then block his<br class="">
IP for 5 minutes (he is using a static IP) and open the port after five<br class="">
minutes again. I tried the following rule, but that opens the port only<br class="">
if the client keeps quiet and doesn't connect while the block is set.<br class="">
<br class="">
Example:<br class="">
<br class="">
iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -m<br class="">
recent --set --name pop3s --rsource<br class="">
<br class="">
iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -m<br class="">
recent --rcheck --seconds 300 --hitcount 20 --name pop3s --rsource -j<br class="">
REJECT --reject-with icmp-port-unreachable<br class="">
<br class="">
I know this is off topic and not cyrus specific, but any help would be<br class="">
great.<br class="">
<br class="">
cyrus: 2.4.17 on Ubuntu 14.04 LTS.<br class="">
<br class="">
Ciao<br class="">
Marcus<br class="">
<br class="">
<br class="">
<br class="">
----<br class="">
Cyrus Home Page: <a href="http://www.cyrusimap.org/" class="">http://www.cyrusimap.org/</a><br class="">
List Archives/Info: <a href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/" class="">
http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a><br class="">
To Unsubscribe:<br class="">
<a href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus" class="">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a><br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>