Hello, all. I read this document about iptables recent module. http://blog.andrew.net.au/2005/02/16#ipt_recent_and_ssh_attacks and I would like to filter the excessive spam mail sending ip address by iptables recent module. and some questions. iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set --name SPAM iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SPAM -j DROP If I set like above, I can't understand the meaning of the hitcount. it means the number of a packet, session or connection? above rule means if 4 connection for 60 seconds, the ip will be filtered for 60 seconds, right? if some ip was filtered, how long will be filtered? for 60 seconds? when I see the list as cat /proc/net/ipt_recent/SPAM the maximum number is 100. if it reaches the 100, no problem? and how to increase the number? Thanks in advance. _________________________________________________________________ ??? 10? ??? ??? ???,???? ?????~! http://im.msn.co.kr/im/main/mainCoverDetail.asp?BbsCode=bbs01&Seq=2688
MontyRee wrote:> Hello, all. > > I read this document about iptables recent module. > http://blog.andrew.net.au/2005/02/16#ipt_recent_and_ssh_attacks > > and I would like to filter the excessive spam mail sending ip address by iptables recent module. > and some questions. > > iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set --name SPAM > iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SPAM -j DROP > > > If I set like above, > > I can't understand the meaning of the hitcount. > it means the number of a packet, session or connection? >Maybe the manpage will help: --hitcount hits This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with --seconds to create an even narrower match requiring a certain number of hits within a specific time frame.> above rule means if 4 connection for 60 seconds, the ip will be filtered for 60 seconds, right? >Nearly, but there is no timeframe implication on the filtering. It simply decides whether the given packet matches the rule and takes the appropriate action. The timeframe comes from whether (or not) there have been 4 or more connection attempts from that IP in the previous 60 seconds.> if some ip was filtered, how long will be filtered? for 60 seconds? >See above - it's the previous 60 second timeframe you are looking at.