Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / d7282413763b0ba85d512c1cd49174b762ff449c / . / extensions / libxt_recent.man
blob: 0392c2cac9c011cb4af58bb5441b6062f900a09e [file] [log] [blame]
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]1Allows you to dynamically create a list of IP addresses and then match against
2that list in a few different ways.
3.PP
4For example, you can create a "badguy" list out of people attempting to connect
5to port 139 on your firewall and then DROP all future packets from them without
6considering them.
Jan Engelhardt27c8d2a2010-01-19 18:15:19 +0100[diff] [blame]7.PP
8\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
9mutually exclusive.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]10.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]11\fB\-\-name\fP \fIname\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]12Specify the list to use for the commands. If no name is given then
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]13\fBDEFAULT\fP will be used.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]14.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]15[\fB!\fP] \fB\-\-set\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]16This will add the source address of the packet to the list. If the source
17address is already in the list, this will update the existing entry. This will
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]18always return success (or failure if \fB!\fP is passed in).
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]19.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]20\fB\-\-rsource\fP
Jan Engelhardtd91bd172008-08-13 14:44:30 +0200[diff] [blame]21Match/save the source address of each packet in the recent list table. This
22is the default.
23.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]24\fB\-\-rdest\fP
Jan Engelhardtd91bd172008-08-13 14:44:30 +0200[diff] [blame]25Match/save the destination address of each packet in the recent list table.
26.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]27[\fB!\fP] \fB\-\-rcheck\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]28Check if the source address of the packet is currently in the list.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]29.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]30[\fB!\fP] \fB\-\-update\fP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]31Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]32matches.
33.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]34[\fB!\fP] \fB\-\-remove\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]35Check if the source address of the packet is currently in the list and if so
36that address will be removed from the list and the rule will return true. If
37the address is not found, false is returned.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]38.TP
Jan Engelhardt27c8d2a2010-01-19 18:15:19 +0100[diff] [blame]39\fB\-\-seconds\fP \fIseconds\fP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]40This option must be used in conjunction with one of \fB\-\-rcheck\fP or
41\fB\-\-update\fP. When used, this will narrow the match to only happen when the
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]42address is in the list and was seen within the last given number of seconds.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]43.TP
Jan Engelhardt27c8d2a2010-01-19 18:15:19 +0100[diff] [blame]44\fB\-\-hitcount\fP \fIhits\fP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]45This option must be used in conjunction with one of \fB\-\-rcheck\fP or
46\fB\-\-update\fP. When used, this will narrow the match to only happen when the
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]47address is in the list and packets had been received greater than or equal to
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]48the given value. This option may be used along with \fB\-\-seconds\fP to create
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]49an even narrower match requiring a certain number of hits within a specific
Jan Engelhardt75736312009-11-17 23:54:29 +0100[diff] [blame]50time frame. The maximum value for the hitcount parameter is given by the
51"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
52value on the command line will cause the rule to be rejected.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]53.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]54\fB\-\-rttl\fP
55This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
56\fB\-\-update\fP. When used, this will narrow the match to only happen when the
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]57address is in the list and the TTL of the current packet matches that of the
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]58packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]59with people faking their source address in order to DoS you via this module by
60disallowing others access to your site by sending bogus packets to you.
61.PP
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]62Examples:
63.IP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]64iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]65.IP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]66iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]67.PP
68Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]69some examples of usage.
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]70.PP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]71\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]72about each entry of each list.
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]73.PP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]74Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]75list or written two using the following commands to modify the list:
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]76.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]77\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
78to add \fIaddr\fP to the DEFAULT list
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]79.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]80\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]81to remove \fIaddr\fP from the DEFAULT list
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]82.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]83\fBecho / >/proc/net/xt_recent/DEFAULT\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]84to flush the DEFAULT list (remove all entries).
85.PP
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]86The module itself accepts parameters, defaults shown:
87.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]88\fBip_list_tot\fP=\fI100\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]89Number of addresses remembered per table.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]90.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]91\fBip_pkt_list_tot\fP=\fI20\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]92Number of packets per address remembered.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]93.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]94\fBip_list_hash_size\fP=\fI0\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]95Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]96.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]97\fBip_list_perms\fP=\fI0644\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]98Permissions for /proc/net/xt_recent/* files.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]99.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]100\fBip_list_uid\fP=\fI0\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]101Numerical UID for ownership of /proc/net/xt_recent/* files.
102.TP
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]103\fBip_list_gid\fP=\fI0\fP
Jan Engelhardtc7f0e942008-10-22 18:53:57 +0200[diff] [blame]104Numerical GID for ownership of /proc/net/xt_recent/* files.