-   Linux - Newbie (
-   -   Confused about learning iptables recent module (

veeruk101 10-31-2011 12:33 PM

Confused about learning iptables recent module
I'm using the iptables recent module to limit too frequent connections to SSH on my machine, but I have some questions about it:

What exactly is the difference between --rcheck and --update? I know update updates the last-seen time and results in a requirement of a 'quiet time' before the next packet can be accepted, but I'm having a hard time understanding this and seeing how it's different from how rcheck behaves. Would anyone who has experience with this module be able to dumb it down and simplify it for me?

My next question is about the following line, which is from the author's website. Why in this case is the update/rcheck rule BEFORE the --set rule? In all other examples I've seen, including the other examples from online I've pasted below it, the --set rule comes first. What difference does this make?

iptables -A FORWARD -m recent --update --seconds 60 -j DROP
iptables -A FORWARD -i eth0 -d -m recent --set -j DROP

iptables -t filter -I BADGUY -m recent --set --name badguys

iptables -A INPUT -i $OUTS -p tcp --syn --dport ssh -m recent --name ssh --set
iptables -A INPUT -i $OUTS -p tcp --syn --dport ssh -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
iptables -A INPUT -i $OUTS -p tcp --syn --dport ssh -m recent --name ssh --rcheck --seconds  30 --hitcount 2 -j DROP

iptables -A ssh -m recent --update --name blacklist --seconds 600 --hitcount 1 -j DROP

iptables -A ssh -m recent --set --name counting1
iptables -A ssh -m recent --set --name counting2
iptables -A ssh -m recent --set --name counting3
iptables -A ssh -m recent --set --name counting4

iptables -A ssh -m recent --update --name counting1 --seconds 20 --hitcount 3 -j blacklist
iptables -A ssh -m recent --update --name counting2 --seconds 200 --hitcount 15 -j blacklist
iptables -A ssh -m recent --update --name counting3 --seconds 2000 --hitcount 80 -j blacklist
iptables -A ssh -m recent --update --name counting4 --seconds 20000 --hitcount 400 -j blacklist

The above 2 examples both use multiple allowed rates that need to be met before allowing a packet - the first of the 2 allows less than 6 hits in 300 seconds or 2 in 30 seconds, while the second one has 4 different rates. The tutorial for the first one specified that the 300 seconds rule needed to come before the 30 seconds rule otherwise it wouldn't work right, whereas the second one lists the rules in the opposite direction, so I'm not sure why it would work...

Also the second one has created 4 different --name's for its rates (e.g. counting1, counting2...), but the first one uses 'ssh' as its --name for both rates. Which one should I consider when using this module with multiple rates?

I'm COMPLETELY confused by all this, I'd really appreciate it if someone who really understands how this works can explain it in clear terms. I'd like to have a grasp of this for my own learning and so that I can feel more confident when writing my own rules using this module of iptables. Thank you so much.

serafean 11-01-2011 12:22 PM

1) AFAIK --rcheck only checks if the address is in the list, without updating the timestamp. --update also updates the timestamp. That's the only difference. As is written on the page : with rcheck, no matter how much bombarding you get, after the specified delay the address will be removed from the blacklist and a packet will make it through to a rule with -set (or -update). If you use --update, every incoming packet resets the delay.

2) The first line directly blocks (an resets the timeout) the address if it is in the list, not even bothering to check whether the initial conditions for blacklisting are met. IE : "you got on the list, and are still trying to connect to me (no matter through wich device/port)? timeout reset." The second line defines how to get on the list. In this case, I think it would work the same if you switched the lines.
I haven't found any specific reason to have it this way, except for optimization : imagine many (let's say 100+) conditions of how to get on the list, if someone fails to pass the last one, not having a rule like this at the beginning would make iptables match the incoming packet to all preceding rules, to finally discard it. This way, once you're on the list, we don't even bother to check if you're doing something nasty, you're just blocked. If anyone has a better answer, I'm all ears.

3)The 300 second rule checks whether the address is in the ssh list, and if it is, and there are more than 6 packets/300s, it also gets added to the badguy list (specified by --name in the BADGUY target [ -j BADGUY] ). I'd call this scaling up the timeout : you get on the blacklist ( 2hits/30 seconds), you're blocked for 30s, only on the ssh list. You still try to connect, and work up to 6hits/600s, you get on the badguys list, for which there could be different rules. If you put the 2hits/30s before the 6hits/300s, the address could never work its way up to the badguys list.

4) A --name specifies the name of the list to use for blacklisting, here each rule has its own list, and they are not interconnected. This rule lists every packet into all 4 lists.if it matches either of the hits/s, it gets promoted to the "blacklist" which drops all packets (1st line).

To sum up : it depends on what you want to do. The general thing to remember is that the rules are matched one after the other, and that once a packet gets dropped, there the matching stops.
With recent, you can specify more than one list, and can mix and match rules promoting packets from one list to the other, there the order of the rules is extremely important, otherwise the promoting goes wrong.
For high traffic servers, the earlier a packet gets discarded, the better, keep that in mind (might be corrected on this one, just my opinion).
Read the iptables/recent man page. (Print it out, read it at the bus stop/wherever and think about what you want to do (I did that, just thinking about things does wonders)).

I hope I explained at least a bit and that this explanation attempt somewhat clears up your questions


All times are GMT -5. The time now is 09:21 AM.