If you want to allow ports 80 and 443, you can add one more rule for INPUT chain:
iptables -I INPUT 1 -m set -j DROP --match-set banlists src
iptables -I INPUT 1 -p tcp -m multiport --dports 80,443 -j ACCEPT
and one more rule for FORWARD chain:
iptables -I FORWARD 1 -m set -j DROP --match-set banlists src
iptables -I FORWARD 1 -p tcp -m multiport --dports 80,443 -j ACCEPT
The previous rules will allow access to ports 80 and 443 for all IPs. To apply rate limit on banlists ipset, you can use:
iptables -I INPUT 1 -m set --match-set banlists src -j DROP
iptables -I INPUT 1 -p tcp -m multiport --dports 80,443 -m state --state NEW -m set --match-set banlists src -m recent --update --seconds 120 --hitcount 10 -j DROP
iptables -I INPUT 1 -p tcp -m multiport --dports 80,443 -m state --state NEW -m set --match-set banlists src -m recent --set -j ACCEPT
An easier way (IMO) is to use -A switch instead of -I. Of course, you need to review the complete ruleset to make sure it is setup as required (rules are inspected in order). This way the rules appear in the normal sequence as they are written:
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -m set --match-set banlists src -m recent --set -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -m set --match-set banlists src -m recent --update --seconds 120 --hitcount 10 -j DROP
iptables -A INPUT -m set --match-set banlists src -j DROP
The same rules need to be applied to FORWARD chain. You can customize the recent module parameters as needed, namely the hitcount and seconds.
