You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
110 lines
4.3 KiB
110 lines
4.3 KiB
4 months ago
|
Allows you to dynamically create a list of IP addresses and then match against
|
||
|
that list in a few different ways.
|
||
|
.PP
|
||
|
For example, you can create a "badguy" list out of people attempting to connect
|
||
|
to port 139 on your firewall and then DROP all future packets from them without
|
||
|
considering them.
|
||
|
.PP
|
||
|
\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
|
||
|
mutually exclusive.
|
||
|
.TP
|
||
|
\fB\-\-name\fP \fIname\fP
|
||
|
Specify the list to use for the commands. If no name is given then
|
||
|
\fBDEFAULT\fP will be used.
|
||
|
.TP
|
||
|
[\fB!\fP] \fB\-\-set\fP
|
||
|
This will add the source address of the packet to the list. If the source
|
||
|
address is already in the list, this will update the existing entry. This will
|
||
|
always return success (or failure if \fB!\fP is passed in).
|
||
|
.TP
|
||
|
\fB\-\-rsource\fP
|
||
|
Match/save the source address of each packet in the recent list table. This
|
||
|
is the default.
|
||
|
.TP
|
||
|
\fB\-\-rdest\fP
|
||
|
Match/save the destination address of each packet in the recent list table.
|
||
|
.TP
|
||
|
\fB\-\-mask\fP \fInetmask\fP
|
||
|
Netmask that will be applied to this recent list.
|
||
|
.TP
|
||
|
[\fB!\fP] \fB\-\-rcheck\fP
|
||
|
Check if the source address of the packet is currently in the list.
|
||
|
.TP
|
||
|
[\fB!\fP] \fB\-\-update\fP
|
||
|
Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
|
||
|
matches.
|
||
|
.TP
|
||
|
[\fB!\fP] \fB\-\-remove\fP
|
||
|
Check if the source address of the packet is currently in the list and if so
|
||
|
that address will be removed from the list and the rule will return true. If
|
||
|
the address is not found, false is returned.
|
||
|
.TP
|
||
|
\fB\-\-seconds\fP \fIseconds\fP
|
||
|
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
|
||
|
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
|
||
|
address is in the list and was seen within the last given number of seconds.
|
||
|
.TP
|
||
|
\fB\-\-reap\fP
|
||
|
This option can only be used in conjunction with \fB\-\-seconds\fP.
|
||
|
When used, this will cause entries older than the last given number of seconds
|
||
|
to be purged.
|
||
|
.TP
|
||
|
\fB\-\-hitcount\fP \fIhits\fP
|
||
|
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
|
||
|
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
|
||
|
address is in the list and packets had been received greater than or equal to
|
||
|
the given value. This option may be used along with \fB\-\-seconds\fP to create
|
||
|
an even narrower match requiring a certain number of hits within a specific
|
||
|
time frame. The maximum value for the hitcount parameter is given by the
|
||
|
"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
|
||
|
value on the command line will cause the rule to be rejected.
|
||
|
.TP
|
||
|
\fB\-\-rttl\fP
|
||
|
This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
|
||
|
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
|
||
|
address is in the list and the TTL of the current packet matches that of the
|
||
|
packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems
|
||
|
with people faking their source address in order to DoS you via this module by
|
||
|
disallowing others access to your site by sending bogus packets to you.
|
||
|
.PP
|
||
|
Examples:
|
||
|
.IP
|
||
|
iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
|
||
|
.IP
|
||
|
iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
|
||
|
.PP
|
||
|
\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
|
||
|
about each entry of each list.
|
||
|
.PP
|
||
|
Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current
|
||
|
list or written two using the following commands to modify the list:
|
||
|
.TP
|
||
|
\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
|
||
|
to add \fIaddr\fP to the DEFAULT list
|
||
|
.TP
|
||
|
\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
|
||
|
to remove \fIaddr\fP from the DEFAULT list
|
||
|
.TP
|
||
|
\fBecho / >/proc/net/xt_recent/DEFAULT\fP
|
||
|
to flush the DEFAULT list (remove all entries).
|
||
|
.PP
|
||
|
The module itself accepts parameters, defaults shown:
|
||
|
.TP
|
||
|
\fBip_list_tot\fP=\fI100\fP
|
||
|
Number of addresses remembered per table.
|
||
|
.TP
|
||
|
\fBip_pkt_list_tot\fP=\fI20\fP
|
||
|
Number of packets per address remembered.
|
||
|
.TP
|
||
|
\fBip_list_hash_size\fP=\fI0\fP
|
||
|
Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
|
||
|
.TP
|
||
|
\fBip_list_perms\fP=\fI0644\fP
|
||
|
Permissions for /proc/net/xt_recent/* files.
|
||
|
.TP
|
||
|
\fBip_list_uid\fP=\fI0\fP
|
||
|
Numerical UID for ownership of /proc/net/xt_recent/* files.
|
||
|
.TP
|
||
|
\fBip_list_gid\fP=\fI0\fP
|
||
|
Numerical GID for ownership of /proc/net/xt_recent/* files.
|