iptables/extensions/libxt_recent.man

*a71a9546SAutomerger Merge WorkerAllows you to dynamically create a list of IP addresses and then match against
*a71a9546SAutomerger Merge Workerthat list in a few different ways.
*a71a9546SAutomerger Merge Worker.PP
*a71a9546SAutomerger Merge WorkerFor example, you can create a "badguy" list out of people attempting to connect
*a71a9546SAutomerger Merge Workerto port 139 on your firewall and then DROP all future packets from them without
*a71a9546SAutomerger Merge Workerconsidering them.
*a71a9546SAutomerger Merge Worker.PP
*a71a9546SAutomerger Merge Worker\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
*a71a9546SAutomerger Merge Workermutually exclusive.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fB\-\-name\fP \fIname\fP
*a71a9546SAutomerger Merge WorkerSpecify the list to use for the commands. If no name is given then
*a71a9546SAutomerger Merge Worker\fBDEFAULT\fP will be used.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-set\fP
*a71a9546SAutomerger Merge WorkerThis will add the source address of the packet to the list. If the source
*a71a9546SAutomerger Merge Workeraddress is already in the list, this will update the existing entry. This will
*a71a9546SAutomerger Merge Workeralways return success (or failure if \fB!\fP is passed in).
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fB\-\-rsource\fP
*a71a9546SAutomerger Merge WorkerMatch/save the source address of each packet in the recent list table. This
*a71a9546SAutomerger Merge Workeris the default.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fB\-\-rdest\fP
*a71a9546SAutomerger Merge WorkerMatch/save the destination address of each packet in the recent list table.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fB\-\-mask\fP \fInetmask\fP
*a71a9546SAutomerger Merge WorkerNetmask that will be applied to this recent list.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-rcheck\fP
*a71a9546SAutomerger Merge WorkerCheck if the source address of the packet is currently in the list.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-update\fP
*a71a9546SAutomerger Merge WorkerLike \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
*a71a9546SAutomerger Merge Workermatches.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-remove\fP
*a71a9546SAutomerger Merge WorkerCheck if the source address of the packet is currently in the list and if so
*a71a9546SAutomerger Merge Workerthat address will be removed from the list and the rule will return true. If
*a71a9546SAutomerger Merge Workerthe address is not found, false is returned.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fB\-\-seconds\fP \fIseconds\fP
*a71a9546SAutomerger Merge WorkerThis option must be used in conjunction with one of \fB\-\-rcheck\fP or
*a71a9546SAutomerger Merge Worker\fB\-\-update\fP. When used, this will narrow the match to only happen when the
*a71a9546SAutomerger Merge Workeraddress is in the list and was seen within the last given number of seconds.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fB\-\-reap\fP
*a71a9546SAutomerger Merge WorkerThis option can only be used in conjunction with \fB\-\-seconds\fP.
*a71a9546SAutomerger Merge WorkerWhen used, this will cause entries older than the last given number of seconds
*a71a9546SAutomerger Merge Workerto be purged.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fB\-\-hitcount\fP \fIhits\fP
*a71a9546SAutomerger Merge WorkerThis option must be used in conjunction with one of \fB\-\-rcheck\fP or
*a71a9546SAutomerger Merge Worker\fB\-\-update\fP. When used, this will narrow the match to only happen when the
*a71a9546SAutomerger Merge Workeraddress is in the list and packets had been received greater than or equal to
*a71a9546SAutomerger Merge Workerthe given value. This option may be used along with \fB\-\-seconds\fP to create
*a71a9546SAutomerger Merge Workeran even narrower match requiring a certain number of hits within a specific
*a71a9546SAutomerger Merge Workertime frame. The maximum value for the hitcount parameter is given by the
*a71a9546SAutomerger Merge Worker"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
*a71a9546SAutomerger Merge Workervalue on the command line will cause the rule to be rejected.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fB\-\-rttl\fP
*a71a9546SAutomerger Merge WorkerThis option may only be used in conjunction with one of \fB\-\-rcheck\fP or
*a71a9546SAutomerger Merge Worker\fB\-\-update\fP. When used, this will narrow the match to only happen when the
*a71a9546SAutomerger Merge Workeraddress is in the list and the TTL of the current packet matches that of the
*a71a9546SAutomerger Merge Workerpacket which hit the \fB\-\-set\fP rule. This may be useful if you have problems
*a71a9546SAutomerger Merge Workerwith people faking their source address in order to DoS you via this module by
*a71a9546SAutomerger Merge Workerdisallowing others access to your site by sending bogus packets to you.
*a71a9546SAutomerger Merge Worker.PP
*a71a9546SAutomerger Merge WorkerExamples:
*a71a9546SAutomerger Merge Worker.IP
*a71a9546SAutomerger Merge Workeriptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
*a71a9546SAutomerger Merge Worker.IP
*a71a9546SAutomerger Merge Workeriptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
*a71a9546SAutomerger Merge Worker.PP
*a71a9546SAutomerger Merge Worker\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
*a71a9546SAutomerger Merge Workerabout each entry of each list.
*a71a9546SAutomerger Merge Worker.PP
*a71a9546SAutomerger Merge WorkerEach file in \fB/proc/net/xt_recent/\fP can be read from to see the current
*a71a9546SAutomerger Merge Workerlist or written two using the following commands to modify the list:
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
*a71a9546SAutomerger Merge Workerto add \fIaddr\fP to the DEFAULT list
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
*a71a9546SAutomerger Merge Workerto remove \fIaddr\fP from the DEFAULT list
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fBecho / >/proc/net/xt_recent/DEFAULT\fP
*a71a9546SAutomerger Merge Workerto flush the DEFAULT list (remove all entries).
*a71a9546SAutomerger Merge Worker.PP
*a71a9546SAutomerger Merge WorkerThe module itself accepts parameters, defaults shown:
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fBip_list_tot\fP=\fI100\fP
*a71a9546SAutomerger Merge WorkerNumber of addresses remembered per table.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fBip_pkt_list_tot\fP=\fI20\fP
*a71a9546SAutomerger Merge WorkerNumber of packets per address remembered.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fBip_list_hash_size\fP=\fI0\fP
*a71a9546SAutomerger Merge WorkerHash table size. 0 means to calculate it based on ip_list_tot, default: 512.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fBip_list_perms\fP=\fI0644\fP
*a71a9546SAutomerger Merge WorkerPermissions for /proc/net/xt_recent/* files.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fBip_list_uid\fP=\fI0\fP
*a71a9546SAutomerger Merge WorkerNumerical UID for ownership of /proc/net/xt_recent/* files.
*a71a9546SAutomerger Merge Worker.TP
*a71a9546SAutomerger Merge Worker\fBip_list_gid\fP=\fI0\fP
*a71a9546SAutomerger Merge WorkerNumerical GID for ownership of /proc/net/xt_recent/* files.