Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 1 | Allows you to dynamically create a list of IP addresses and then match against |
| 2 | that list in a few different ways. |
| 3 | .PP |
| 4 | For example, you can create a "badguy" list out of people attempting to connect |
| 5 | to port 139 on your firewall and then DROP all future packets from them without |
| 6 | considering them. |
Jan Engelhardt | 27c8d2a | 2010-01-19 18:15:19 +0100 | [diff] [blame] | 7 | .PP |
| 8 | \fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are |
| 9 | mutually exclusive. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 10 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 11 | \fB\-\-name\fP \fIname\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 12 | Specify the list to use for the commands. If no name is given then |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 13 | \fBDEFAULT\fP will be used. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 14 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 15 | [\fB!\fP] \fB\-\-set\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 16 | This will add the source address of the packet to the list. If the source |
| 17 | address is already in the list, this will update the existing entry. This will |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 18 | always return success (or failure if \fB!\fP is passed in). |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 19 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 20 | \fB\-\-rsource\fP |
Jan Engelhardt | d91bd17 | 2008-08-13 14:44:30 +0200 | [diff] [blame] | 21 | Match/save the source address of each packet in the recent list table. This |
| 22 | is the default. |
| 23 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 24 | \fB\-\-rdest\fP |
Jan Engelhardt | d91bd17 | 2008-08-13 14:44:30 +0200 | [diff] [blame] | 25 | Match/save the destination address of each packet in the recent list table. |
| 26 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 27 | [\fB!\fP] \fB\-\-rcheck\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 28 | Check if the source address of the packet is currently in the list. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 29 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 30 | [\fB!\fP] \fB\-\-update\fP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 31 | Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 32 | matches. |
| 33 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 34 | [\fB!\fP] \fB\-\-remove\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 35 | Check if the source address of the packet is currently in the list and if so |
| 36 | that address will be removed from the list and the rule will return true. If |
| 37 | the address is not found, false is returned. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 38 | .TP |
Jan Engelhardt | 27c8d2a | 2010-01-19 18:15:19 +0100 | [diff] [blame] | 39 | \fB\-\-seconds\fP \fIseconds\fP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 40 | This option must be used in conjunction with one of \fB\-\-rcheck\fP or |
| 41 | \fB\-\-update\fP. When used, this will narrow the match to only happen when the |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 42 | address is in the list and was seen within the last given number of seconds. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 43 | .TP |
Jan Engelhardt | 27c8d2a | 2010-01-19 18:15:19 +0100 | [diff] [blame] | 44 | \fB\-\-hitcount\fP \fIhits\fP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 45 | This option must be used in conjunction with one of \fB\-\-rcheck\fP or |
| 46 | \fB\-\-update\fP. When used, this will narrow the match to only happen when the |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 47 | address is in the list and packets had been received greater than or equal to |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 48 | the given value. This option may be used along with \fB\-\-seconds\fP to create |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 49 | an even narrower match requiring a certain number of hits within a specific |
Jan Engelhardt | 7573631 | 2009-11-17 23:54:29 +0100 | [diff] [blame] | 50 | time frame. The maximum value for the hitcount parameter is given by the |
| 51 | "ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this |
| 52 | value on the command line will cause the rule to be rejected. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 53 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 54 | \fB\-\-rttl\fP |
| 55 | This option may only be used in conjunction with one of \fB\-\-rcheck\fP or |
| 56 | \fB\-\-update\fP. When used, this will narrow the match to only happen when the |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 57 | address is in the list and the TTL of the current packet matches that of the |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 58 | packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 59 | with people faking their source address in order to DoS you via this module by |
| 60 | disallowing others access to your site by sending bogus packets to you. |
| 61 | .PP |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 62 | Examples: |
| 63 | .IP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 64 | iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 65 | .IP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 66 | iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 67 | .PP |
| 68 | Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 69 | some examples of usage. |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 70 | .PP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 71 | \fB/proc/net/xt_recent/*\fP are the current lists of addresses and information |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 72 | about each entry of each list. |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 73 | .PP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 74 | Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 75 | list or written two using the following commands to modify the list: |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 76 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 77 | \fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP |
| 78 | to add \fIaddr\fP to the DEFAULT list |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 79 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 80 | \fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 81 | to remove \fIaddr\fP from the DEFAULT list |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 82 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 83 | \fBecho / >/proc/net/xt_recent/DEFAULT\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 84 | to flush the DEFAULT list (remove all entries). |
| 85 | .PP |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 86 | The module itself accepts parameters, defaults shown: |
| 87 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 88 | \fBip_list_tot\fP=\fI100\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 89 | Number of addresses remembered per table. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 90 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 91 | \fBip_pkt_list_tot\fP=\fI20\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 92 | Number of packets per address remembered. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 93 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 94 | \fBip_list_hash_size\fP=\fI0\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 95 | Hash table size. 0 means to calculate it based on ip_list_tot, default: 512. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 96 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 97 | \fBip_list_perms\fP=\fI0644\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 98 | Permissions for /proc/net/xt_recent/* files. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 99 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 100 | \fBip_list_uid\fP=\fI0\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 101 | Numerical UID for ownership of /proc/net/xt_recent/* files. |
| 102 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 103 | \fBip_list_gid\fP=\fI0\fP |
Jan Engelhardt | c7f0e94 | 2008-10-22 18:53:57 +0200 | [diff] [blame] | 104 | Numerical GID for ownership of /proc/net/xt_recent/* files. |