libxt_recent.man revision 79ddbf202a06e6f018e087a328c2ca91e65a8463 
118ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.orgAllows you to dynamically create a list of IP addresses and then match against
218ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.orgthat list in a few different ways.
318ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.org.PP
418ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.orgFor example, you can create a "badguy" list out of people attempting to connect
518ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.orgto port 139 on your firewall and then DROP all future packets from them without
618ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.orgconsidering them.
718ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.org.PP
818ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.org\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
918ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.orgmutually exclusive.
1018ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.org.TP
1118ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.org\fB\-\-name\fP \fIname\fP
1218ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.orgSpecify the list to use for the commands. If no name is given then
1318ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.org\fBDEFAULT\fP will be used.
1418ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.org.TP
1518ba8e9ae3b91e75bff3b923b161ed9d0dc2ce31thakis@chromium.org[\fB!\fP] \fB\-\-set\fP
16This will add the source address of the packet to the list. If the source
17address is already in the list, this will update the existing entry. This will
18always return success (or failure if \fB!\fP is passed in).
19.TP
20\fB\-\-rsource\fP
21Match/save the source address of each packet in the recent list table. This
22is the default.
23.TP
24\fB\-\-rdest\fP
25Match/save the destination address of each packet in the recent list table.
26.TP
27[\fB!\fP] \fB\-\-rcheck\fP
28Check if the source address of the packet is currently in the list.
29.TP
30[\fB!\fP] \fB\-\-update\fP
31Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
32matches.
33.TP
34[\fB!\fP] \fB\-\-remove\fP
35Check if the source address of the packet is currently in the list and if so
36that address will be removed from the list and the rule will return true. If
37the address is not found, false is returned.
38.TP
39\fB\-\-seconds\fP \fIseconds\fP
40This option must be used in conjunction with one of \fB\-\-rcheck\fP or
41\fB\-\-update\fP. When used, this will narrow the match to only happen when the
42address is in the list and was seen within the last given number of seconds.
43.TP
44\fB\-\-reap\fP
45This option can only be used in conjunction with \fB\-\-seconds\fP.
46When used, this will cause entries older than the last given number of seconds
47to be purged.
48.TP
49\fB\-\-hitcount\fP \fIhits\fP
50This option must be used in conjunction with one of \fB\-\-rcheck\fP or
51\fB\-\-update\fP. When used, this will narrow the match to only happen when the
52address is in the list and packets had been received greater than or equal to
53the given value. This option may be used along with \fB\-\-seconds\fP to create
54an even narrower match requiring a certain number of hits within a specific
55time frame. The maximum value for the hitcount parameter is given by the
56"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
57value on the command line will cause the rule to be rejected.
58.TP
59\fB\-\-rttl\fP
60This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
61\fB\-\-update\fP. When used, this will narrow the match to only happen when the
62address is in the list and the TTL of the current packet matches that of the
63packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems
64with people faking their source address in order to DoS you via this module by
65disallowing others access to your site by sending bogus packets to you.
66.PP
67Examples:
68.IP
69iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
70.IP
71iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
72.PP
73Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
74some examples of usage.
75.PP
76\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
77about each entry of each list.
78.PP
79Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current
80list or written two using the following commands to modify the list:
81.TP
82\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
83to add \fIaddr\fP to the DEFAULT list
84.TP
85\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
86to remove \fIaddr\fP from the DEFAULT list
87.TP
88\fBecho / >/proc/net/xt_recent/DEFAULT\fP
89to flush the DEFAULT list (remove all entries).
90.PP
91The module itself accepts parameters, defaults shown:
92.TP
93\fBip_list_tot\fP=\fI100\fP
94Number of addresses remembered per table.
95.TP
96\fBip_pkt_list_tot\fP=\fI20\fP
97Number of packets per address remembered.
98.TP
99\fBip_list_hash_size\fP=\fI0\fP
100Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
101.TP
102\fBip_list_perms\fP=\fI0644\fP
103Permissions for /proc/net/xt_recent/* files.
104.TP
105\fBip_list_uid\fP=\fI0\fP
106Numerical UID for ownership of /proc/net/xt_recent/* files.
107.TP
108\fBip_list_gid\fP=\fI0\fP
109Numerical GID for ownership of /proc/net/xt_recent/* files.
110