Mod recent blocked related question (netfilter). WHO IS BLOCKED

CarLost · 07-24-2008, 04:24 PM

I got a question to those who are using mod recent to block dynamically some IPs

I'm used it to block SMTP traffic (tcp:25) but I need a way to know who is bloqued, since mod recent put every single IP and block only the one who match a criteria.

Very thanks.!!!

PD: Sorry 4 bad English, I think I'm improving on that!

win32sux · 07-24-2008, 05:48 PM

You could probably start by looking in the /proc/net/ipt_recent directory.

estabroo · 07-24-2008, 06:37 PM

Instead of having recent do the drop directly instead send it to another section where it does a log then drop.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOG_THEN_DROP

iptables -A LOG_THEN_DROP -j LOG --log-level 7 --log-prefix "recent drop:"
iptables -A LOG_THEN_DROP -j DROP

CarLost · 07-25-2008, 02:28 PM

Quote:

Originally Posted by estabroo

Instead of having recent do the drop directly instead send it to another section where it does a log then drop.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOG_THEN_DROP

iptables -A LOG_THEN_DROP -j LOG --log-level 7 --log-prefix "recent drop:"
iptables -A LOG_THEN_DROP -j DROP

Thanks I actually log on that way, but also I log a thousands of other (new)connections (audit) ... I mean, I have daily log of 2 or 3 GB so, I want to get the instant information about who ones are blocked at this moment.-

I'll put that I have right now!

Code:

iptables -A FORWARD  -p tcp --syn --dport 25 -m state --state NEW,INVALID -m recent --name MadMail --set
iptables -A FORWARD  -p tcp --syn --dport 25 -m state --state NEW,INVALID -m recent --seconds 20 --hitcount 5 --name MadMail --rcheck -j LOG --log-prefix "Blocked Mail--> "
iptables -A FORWARD  -p tcp --syn --dport 25 -m state --state NEW,INVALID -m recent --seconds 20 --hitcount 5 --name MadMail --update -j REJECT

Has I say before (but edited, who know why) Mod Recent put every single IP on the file "/proc/net/ipt_recent/MadMail" and upgrade only the "last seen" by some "machine_time" (or tic time) so, it is very hard to find who is blocked on a "right_now" query...

Any ideas? this may help to someone else to.

My log file is a really big file (take about half hour to compress every day) may you can provide a way to get the last 20 seconds and take off the blocked IPs of this file (grep, awk, sed etc. I know in some way how to work with this, but the last n seconds go far from my aknlge.)

Again thanks.

estabroo · 07-26-2008, 06:40 PM

You could use tail to get the last n lines of the log that would give you a good estimate of who was blocked recently.

CarLost · 07-28-2008, 08:28 AM

Yes thanks, I think this may be the only way for now..

Thanks

C.

CarLost · 07-29-2008, 03:53 PM

Hi, again

I made a little script to display the last blocked IPs from the iptables.log file

to anyone who want it!

Code:

#!/bin/bash
# Revisar correos bloqueados

FBl='/tmp/BlMail.txt'
tmpFile='/tmp/bltemp.txt'
echo -e "Primer Intento | Ultimo Intento | IP Origen | Intentos" > $FBl
tail -10000 /var/log/iptables.log | grep Mail | awk '{print $3 " " $8}' > $tmpFile
echo Trabajando espere 1/2 min......
for IP_n in `cat $tmpFile | awk '{print $2}' | sed s/SRC=//g`; do
        if ! `grep $IP_n $FBl > /dev/null`  ; then
          count=`grep -c $IP_n $tmpFile`
          first=`grep $IP_n $tmpFile | head -1 | awk '{print $1}'`
          last=`grep $IP_n $tmpFile | tail -1 | awk '{print $1}'`
          echo -e $first'\t'$last'\t'$IP_n'        \t'$count >> $FBl
        fi
done
cat $FBl
read

Bye