1
Allows you to dynamically create a list of IP addresses and then match
2
against that list in a few different ways.
4
For example, you can create a `badguy' list out of people attempting
5
to connect to port 139 on your firewall and then DROP all future
6
packets from them without considering them.
9
Specify the list to use for the commands. If no name is given then 'DEFAULT'
13
This will add the source address of the packet to the list. If the
14
source address is already in the list, this will update the existing
15
entry. This will always return success (or failure if `!' is passed
18
[\fB!\fR] \fB--rcheck\fR
19
Check if the source address of the packet is currently in
22
[\fB!\fR] \fB--update\fR
23
Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
26
[\fB!\fR] \fB--remove\fR
27
Check if the source address of the packet is currently in the list and
28
if so that address will be removed from the list and the rule will
29
return true. If the address is not found, false is returned.
31
[\fB!\fR] \fB--seconds \fIseconds\fR
32
This option must be used in conjunction with one of \fB--rcheck\fR or
33
\fB--update\fR. When used, this will narrow the match to only happen
34
when the address is in the list and was seen within the last given
37
[\fB!\fR] \fB--hitcount \fIhits\fR
38
This option must be used in conjunction with one of \fB--rcheck\fR or
39
\fB--update\fR. When used, this will narrow the match to only happen
40
when the address is in the list and packets had been received greater
41
than or equal to the given value. This option may be used along with
42
\fB--seconds\fR to create an even narrower match requiring a certain
43
number of hits within a specific time frame.
46
This option must be used in conjunction with one of \fB--rcheck\fR or
47
\fB--update\fR. When used, this will narrow the match to only happen
48
when the address is in the list and the TTL of the current packet
49
matches that of the packet which hit the \fB--set\fR rule. This may be
50
useful if you have problems with people faking their source address in
51
order to DoS you via this module by disallowing others access to your
52
site by sending bogus packets to you.
56
# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
58
# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
60
Official website (http://snowman.net/projects/ipt_recent/) also has
61
some examples of usage.
63
/proc/net/ipt_recent/* are the current lists of addresses and information
64
about each entry of each list.
66
Each file in /proc/net/ipt_recent/ can be read from to see the current list
67
or written two using the following commands to modify the list:
69
echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
70
to Add to the DEFAULT list
72
echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
73
to Remove from the DEFAULT list
75
echo clear > /proc/net/ipt_recent/DEFAULT
76
to empty the DEFAULT list.
78
The module itself accepts parameters, defaults shown:
80
.BI "ip_list_tot=" "100"
81
Number of addresses remembered per table
83
.BI "ip_pkt_list_tot=" "20"
84
Number of packets per address remembered
86
.BI "ip_list_hash_size=" "0"
87
Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
89
.BI "ip_list_perms=" "0644"
90
Permissions for /proc/net/ipt_recent/* files
93
Set to 1 to get lots of debugging info
added
removed
extensions/libipt_recent.man
