| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112 |
- Allows you to dynamically create a list of IP addresses and then match against
- that list in a few different ways.
- .PP
- For example, you can create a "badguy" list out of people attempting to connect
- to port 139 on your firewall and then DROP all future packets from them without
- considering them.
- .PP
- \fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
- mutually exclusive.
- .TP
- \fB\-\-name\fP \fIname\fP
- Specify the list to use for the commands. If no name is given then
- \fBDEFAULT\fP will be used.
- .TP
- [\fB!\fP] \fB\-\-set\fP
- This will add the source address of the packet to the list. If the source
- address is already in the list, this will update the existing entry. This will
- always return success (or failure if \fB!\fP is passed in).
- .TP
- \fB\-\-rsource\fP
- Match/save the source address of each packet in the recent list table. This
- is the default.
- .TP
- \fB\-\-rdest\fP
- Match/save the destination address of each packet in the recent list table.
- .TP
- \fB\-\-mask\fPnetmask
- Netmask that will be applied to this recent list.
- .TP
- [\fB!\fP] \fB\-\-rcheck\fP
- Check if the source address of the packet is currently in the list.
- .TP
- [\fB!\fP] \fB\-\-update\fP
- Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
- matches.
- .TP
- [\fB!\fP] \fB\-\-remove\fP
- Check if the source address of the packet is currently in the list and if so
- that address will be removed from the list and the rule will return true. If
- the address is not found, false is returned.
- .TP
- \fB\-\-seconds\fP \fIseconds\fP
- This option must be used in conjunction with one of \fB\-\-rcheck\fP or
- \fB\-\-update\fP. When used, this will narrow the match to only happen when the
- address is in the list and was seen within the last given number of seconds.
- .TP
- \fB\-\-reap\fP
- This option can only be used in conjunction with \fB\-\-seconds\fP.
- When used, this will cause entries older than the last given number of seconds
- to be purged.
- .TP
- \fB\-\-hitcount\fP \fIhits\fP
- This option must be used in conjunction with one of \fB\-\-rcheck\fP or
- \fB\-\-update\fP. When used, this will narrow the match to only happen when the
- address is in the list and packets had been received greater than or equal to
- the given value. This option may be used along with \fB\-\-seconds\fP to create
- an even narrower match requiring a certain number of hits within a specific
- time frame. The maximum value for the hitcount parameter is given by the
- "ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
- value on the command line will cause the rule to be rejected.
- .TP
- \fB\-\-rttl\fP
- This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
- \fB\-\-update\fP. When used, this will narrow the match to only happen when the
- address is in the list and the TTL of the current packet matches that of the
- packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems
- with people faking their source address in order to DoS you via this module by
- disallowing others access to your site by sending bogus packets to you.
- .PP
- Examples:
- .IP
- iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
- .IP
- iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
- .PP
- Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
- some examples of usage.
- .PP
- \fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
- about each entry of each list.
- .PP
- Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current
- list or written two using the following commands to modify the list:
- .TP
- \fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
- to add \fIaddr\fP to the DEFAULT list
- .TP
- \fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
- to remove \fIaddr\fP from the DEFAULT list
- .TP
- \fBecho / >/proc/net/xt_recent/DEFAULT\fP
- to flush the DEFAULT list (remove all entries).
- .PP
- The module itself accepts parameters, defaults shown:
- .TP
- \fBip_list_tot\fP=\fI100\fP
- Number of addresses remembered per table.
- .TP
- \fBip_pkt_list_tot\fP=\fI20\fP
- Number of packets per address remembered.
- .TP
- \fBip_list_hash_size\fP=\fI0\fP
- Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
- .TP
- \fBip_list_perms\fP=\fI0644\fP
- Permissions for /proc/net/xt_recent/* files.
- .TP
- \fBip_list_uid\fP=\fI0\fP
- Numerical UID for ownership of /proc/net/xt_recent/* files.
- .TP
- \fBip_list_gid\fP=\fI0\fP
- Numerical GID for ownership of /proc/net/xt_recent/* files.
|
