libxt_recent.man  

Original document is iptables-1.4.10/extensions/libxt_recent.man

iptables recent module  

Allows you to dynamically create a list of IP addresses and thenmatch against that list in a few different ways.

For example, you can create a "badguy" list out of people attempting to connect to port 139 on your firewall and then DROP all future packets from them without considering them.

--set, --rcheck, --update and --remove are mutually exclusive.

OptionDescription
--name nameSpecify the list to use for the commands. If no name is given then DEFAULT will be used.
[!] --setThis will add the source address of the packet to the list. If the source address is already in the list, this will update the existing entry. This will always return success (or failure if ! is passed in).
--rsourceMatch/save the source address of each packet in the recent list table. This is the default.
--rdestMatch/save the destination address of each packet in the recent list table.
[!] --rcheckCheck if the source address of the packet is currently in the list.
[!] --updateLike --rcheck, except it will update the "last seen" timestamp if it matches.
[!] --removeCheck if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true. If the address is not found, false is returned.
--seconds secondsThis option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds.
--hitcount hitsThis option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with --seconds to create an even narrower match requiring a certain number of hits within a specific time frame. The maximum value for the hitcount parameter is given by the "ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this value on the command line will cause the rule to be rejected.
--rttlThis option may only be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and the TTL of the current packet matches that of the packet which hit the --set rule. This may be useful if you have problems with people faking their source address in order to DoS you via this module by disallowing others access to your site by sending bogus packets to you.

Examples  

iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP

Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has some examples of usage.

/proc/net/xt_recent/*  

/proc/net/xt_recent/* are the current lists of addresses and information about each entry of each list. Each file in /proc/net/xt_recent/ can be read from to see the current list or written two using the following commands

To modify the list  

echo +addr > /proc/net/xt_recent/DEFAULT

to add addr to the DEFAULT list

echo -addr > /proc/net/xt_recent/DEFAULT

to remove addr from the DEFAULT list

echo / >/proc/net/xt_recent/DEFAULT

to flush the DEFAULT list (remove all entries).

Module parameters  

The module itself accepts parameters, defaults shown.

OptionDescription
ip_list_tot=100Number of addresses remembered per table.
ip_pkt_list_tot=20Number of packets per address remembered.
ip_list_hash_size=0Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
ip_list_perms=0644Permissions for /proc/net/xt_recent/* files.
ip_list_uid=0Numerical UID for ownership of /proc/net/xt_recent/* files.
ip_list_gid=0Numerical GID for ownership of /proc/net/xt_recent/* files.