1 Allows you to dynamically create a list of IP addresses and then match 2 against that list in a few different ways. 3 4 For example, you can create a `badguy' list out of people attempting 5 to connect to port 139 on your firewall and then DROP all future 6 packets from them without considering them. 7 .TP 8 .BI "--name " "name" 9 Specify the list to use for the commands. If no name is given then 'DEFAULT' 10 will be used. 11 .TP 12 [\fB!\fR] \fB--set\fR 13 This will add the source address of the packet to the list. If the 14 source address is already in the list, this will update the existing 15 entry. This will always return success (or failure if `!' is passed 16 in). 17 .TP 18 [\fB!\fR] \fB--rcheck\fR 19 Check if the source address of the packet is currently in 20 the list. 21 .TP 22 [\fB!\fR] \fB--update\fR 23 Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it 24 matches. 25 .TP 26 [\fB!\fR] \fB--remove\fR 27 Check if the source address of the packet is currently in the list and 28 if so that address will be removed from the list and the rule will 29 return true. If the address is not found, false is returned. 30 .TP 31 [\fB!\fR] \fB--seconds \fIseconds\fR 32 This option must be used in conjunction with one of \fB--rcheck\fR or 33 \fB--update\fR. When used, this will narrow the match to only happen 34 when the address is in the list and was seen within the last given 35 number of seconds. 36 .TP 37 [\fB!\fR] \fB--hitcount \fIhits\fR 38 This option must be used in conjunction with one of \fB--rcheck\fR or 39 \fB--update\fR. When used, this will narrow the match to only happen 40 when the address is in the list and packets had been received greater 41 than or equal to the given value. This option may be used along with 42 \fB--seconds\fR to create an even narrower match requiring a certain 43 number of hits within a specific time frame. 44 .TP 45 \fB--rttl\fR 46 This option must be used in conjunction with one of \fB--rcheck\fR or 47 \fB--update\fR. When used, this will narrow the match to only happen 48 when the address is in the list and the TTL of the current packet 49 matches that of the packet which hit the \fB--set\fR rule. This may be 50 useful if you have problems with people faking their source address in 51 order to DoS you via this module by disallowing others access to your 52 site by sending bogus packets to you. 53 .P 54 Examples: 55 .IP 56 # iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP 57 58 # iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP 59 .P 60 Official website (http://snowman.net/projects/ipt_recent/) also has 61 some examples of usage. 62 63 /proc/net/ipt_recent/* are the current lists of addresses and information 64 about each entry of each list. 65 66 Each file in /proc/net/ipt_recent/ can be read from to see the current list 67 or written two using the following commands to modify the list: 68 .TP 69 echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT 70 to Add to the DEFAULT list 71 .TP 72 echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT 73 to Remove from the DEFAULT list 74 .TP 75 echo clear > /proc/net/ipt_recent/DEFAULT 76 to empty the DEFAULT list. 77 .P 78 The module itself accepts parameters, defaults shown: 79 .TP 80 .BI "ip_list_tot=" "100" 81 Number of addresses remembered per table 82 .TP 83 .BI "ip_pkt_list_tot=" "20" 84 Number of packets per address remembered 85 .TP 86 .BI "ip_list_hash_size=" "0" 87 Hash table size. 0 means to calculate it based on ip_list_tot, default: 512 88 .TP 89 .BI "ip_list_perms=" "0644" 90 Permissions for /proc/net/ipt_recent/* files 91 .TP 92 .BI "debug=" "0" 93 Set to 1 to get lots of debugging info 94
