1) AFAIK --rcheck only checks if the address is in the list, without updating the timestamp. --update also updates the timestamp. That's the only difference. As is written on the page : with rcheck, no matter how much bombarding you get, after the specified delay the address will be removed from the blacklist and a packet will make it through to a rule with -set (or -update). If you use --update, every incoming packet resets the delay.
2) The first line directly blocks (an resets the timeout) the address if it is in the list, not even bothering to check whether the initial conditions for blacklisting are met. IE : "you got on the list, and are still trying to connect to me (no matter through wich device/port)? timeout reset." The second line defines how to get on the list. In this case, I think it would work the same if you switched the lines.
I haven't found any specific reason to have it this way, except for optimization : imagine many (let's say 100+) conditions of how to get on the list, if someone fails to pass the last one, not having a rule like this at the beginning would make iptables match the incoming packet to all preceding rules, to finally discard it. This way, once you're on the list, we don't even bother to check if you're doing something nasty, you're just blocked. If anyone has a better answer, I'm all ears.
3)The 300 second rule checks whether the address is in the ssh list, and if it is, and there are more than 6 packets/300s, it also gets added to the badguy list (specified by --name in the BADGUY target [ -j BADGUY] ). I'd call this scaling up the timeout : you get on the blacklist ( 2hits/30 seconds), you're blocked for 30s, only on the ssh list. You still try to connect, and work up to 6hits/600s, you get on the badguys list, for which there could be different rules. If you put the 2hits/30s before the 6hits/300s, the address could never work its way up to the badguys list.
4) A --name specifies the name of the list to use for blacklisting, here each rule has its own list, and they are not interconnected. This rule lists every packet into all 4 lists.if it matches either of the hits/s, it gets promoted to the "blacklist" which drops all packets (1st line).
To sum up : it depends on what you want to do. The general thing to remember is that the rules are matched one after the other, and that once a packet gets dropped, there the matching stops.
With recent, you can specify more than one list, and can mix and match rules promoting packets from one list to the other, there the order of the rules is extremely important, otherwise the promoting goes wrong.
For high traffic servers, the earlier a packet gets discarded, the better, keep that in mind (might be corrected on this one, just my opinion).
Read the iptables/recent man page. (Print it out, read it at the bus stop/wherever and think about what you want to do (I did that, just thinking about things does wonders)).
I hope I explained at least a bit and that this explanation attempt somewhat clears up your questions
Serafean
Last edited by serafean; 11-01-2011 at 11:23 AM.
|