Re: Trying to understand iptables
>From the iptables man-page, zipping down to the section documenting
the "recent" module:
[!] --seconds seconds
This option must be used in conjunction with one of
--rcheck or --update. When
used, this will narrow the match to only happen when the
address is in the list
and was seen within the last given number of seconds.
and
[!] --set
This will add the source address of the packet to
the list. If the source
address is already in the list, this will update the
existing entry. This will
always return success (or failure if '!' is passed in).
What is slightly confusing is using -I (rather than -A) for the
examples. -I used in this way inserts the rule at the *head* of the
list. So, in this example, the second line is executed first, then the
first one. I presume this was done so that packets arriving once you
have entered the first command are not dropped until you've entered
the second line.
So
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
* if the packet is tcp and dest port 22 on iface eth0 and is a NEW connection
* if the source IP is in our recent table already
* if the entry was last seen 60 or less seconds ago, only (--seconds 60)
* if the entry has been seen at least 4 times already (--hitcount 4)
* update the recorded time of the last packet in the table to now
* drop this packet
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
At this point, we can assume the packet was *not* in the table above
with an entry fresher than 60 seconds or 4 hits. This just adds it to
the table, but lets the packet pass through.
2008/7/31 Michael S. Peek <peek@tiem.utk.edu>:
> Or to put it another way, how does iptables know how long to remember a
> recent connection? And can I change that?
That's what the '60' is after --seconds in the second command (first to execute)
--
Jon Dowland
http://jmtd.net/
Reply to: