1Allows you to dynamically create a list of IP addresses and then match against 2that list in a few different ways. 3.PP 4For example, you can create a "badguy" list out of people attempting to connect 5to port 139 on your firewall and then DROP all future packets from them without 6considering them. 7.PP 8\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are 9mutually exclusive. 10.TP 11\fB\-\-name\fP \fIname\fP 12Specify the list to use for the commands. If no name is given then 13\fBDEFAULT\fP will be used. 14.TP 15[\fB!\fP] \fB\-\-set\fP 16This will add the source address of the packet to the list. If the source 17address is already in the list, this will update the existing entry. This will 18always return success (or failure if \fB!\fP is passed in). 19.TP 20\fB\-\-rsource\fP 21Match/save the source address of each packet in the recent list table. This 22is the default. 23.TP 24\fB\-\-rdest\fP 25Match/save the destination address of each packet in the recent list table. 26.TP 27\fB\-\-mask\fP \fInetmask\fP 28Netmask that will be applied to this recent list. 29.TP 30[\fB!\fP] \fB\-\-rcheck\fP 31Check if the source address of the packet is currently in the list. 32.TP 33[\fB!\fP] \fB\-\-update\fP 34Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it 35matches. 36.TP 37[\fB!\fP] \fB\-\-remove\fP 38Check if the source address of the packet is currently in the list and if so 39that address will be removed from the list and the rule will return true. If 40the address is not found, false is returned. 41.TP 42\fB\-\-seconds\fP \fIseconds\fP 43This option must be used in conjunction with one of \fB\-\-rcheck\fP or 44\fB\-\-update\fP. When used, this will narrow the match to only happen when the 45address is in the list and was seen within the last given number of seconds. 46.TP 47\fB\-\-reap\fP 48This option can only be used in conjunction with \fB\-\-seconds\fP. 49When used, this will cause entries older than the last given number of seconds 50to be purged. 51.TP 52\fB\-\-hitcount\fP \fIhits\fP 53This option must be used in conjunction with one of \fB\-\-rcheck\fP or 54\fB\-\-update\fP. When used, this will narrow the match to only happen when the 55address is in the list and packets had been received greater than or equal to 56the given value. This option may be used along with \fB\-\-seconds\fP to create 57an even narrower match requiring a certain number of hits within a specific 58time frame. 59.TP 60\fB\-\-rttl\fP 61This option may only be used in conjunction with one of \fB\-\-rcheck\fP or 62\fB\-\-update\fP. When used, this will narrow the match to only happen when the 63address is in the list and the TTL of the current packet matches that of the 64packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems 65with people faking their source address in order to DoS you via this module by 66disallowing others access to your site by sending bogus packets to you. 67.PP 68Examples: 69.IP 70iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP 71.IP 72iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP 73.PP 74\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information 75about each entry of each list. 76.PP 77Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current 78list or written two using the following commands to modify the list: 79.TP 80\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP 81to add \fIaddr\fP to the DEFAULT list 82.TP 83\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP 84to remove \fIaddr\fP from the DEFAULT list 85.TP 86\fBecho / >/proc/net/xt_recent/DEFAULT\fP 87to flush the DEFAULT list (remove all entries). 88.PP 89The module itself accepts parameters, defaults shown: 90.TP 91\fBip_list_tot\fP=\fI100\fP 92Number of addresses remembered per table. 93.TP 94\fBip_pkt_list_tot\fP=\fI0\fP 95Number of packets per address remembered. This parameter is obsolete since 96kernel version 3.19 which started to calculate the table size based on given 97\fB\-\-hitcount\fP parameter. 98.TP 99\fBip_list_hash_size\fP=\fI0\fP 100Hash table size. 0 means to calculate it based on ip_list_tot by rounding it up 101to the next power of two (with \fBip_list_tot\fP defaulting to \fI100\fP, 102\fBip_list_hash_size\fP will calculate to \fI128\fP by default). 103.TP 104\fBip_list_perms\fP=\fI0644\fP 105Permissions for /proc/net/xt_recent/* files. 106.TP 107\fBip_list_uid\fP=\fI0\fP 108Numerical UID for ownership of /proc/net/xt_recent/* files. 109.TP 110\fBip_list_gid\fP=\fI0\fP 111Numerical GID for ownership of /proc/net/xt_recent/* files. 112