[问题求助]iptables 中 recent 模块的使用问题 [复制链接]

http://wiki.openwrt.org/TransparentFirewall学习

里面有这么一段开服务端口的 iptables .规则外贸
# SSH

  ipta.bles -A INPUT -p. TCP --dport 22 \           鲜花

    -m recent --name ROUTER-SSH --update --hitc.ount 5 --seconds 180 -j. DROP          婚庆

  iptables -A .INPUT -p TC.P --dport 22 \.

    -m recent --name ROUTER-SSH --set. -j .ACCEPT域名
复制代码
查看了 recent .的帮助文档.
recent v1.2.11 .options:教育

[.!] --set                       Add so.urce address to list, always matches.学习

[!] --rcheck          .          Mat.ch if source address in list.--- 印刷

[!] --update               .     Match if source address in list, also .update last.-seen time.域名

[!] --re.move                    Match if sour.ce address in list, also remo.ves that address from list.    美容

    --seconds seconds           For check and upda.te .commands above..

                   . .      .      Specifies that the match will only occur if source address last seen within.

                                the .last 'seconds' secon.ds.(        游戏          )

    --hitcount hits          .   For check and update commands above..--------------彩票

        . .                       Specifies that. the match will only occur if source address seen hits times.电脑

                                May. be used in .conjunctio.n with the seconds option.             汽车

    --rttl                      For check and upda.te comm.ands above.--------------彩票

                                Specifies that the match will only occur i.f th.e source ad.dress and the TTL.

   .           .                  match between this .packet and the one which was set.           鲜花

          .                      .Useful if you have problems with people spoofing their source address in or.der.

                    .            to DoS you via this module...

    --name name                 Name of. the recent. list to be used.  DEFAULT .used if none given.           鲜花

    --rsource                  . Match/Save the source address of e.ach pac.ket in the recent list table (default).    健康

    --rdest                     Match/Save the destin.ation address of each packet in th.e recent .list table..

ipt_recent v0.3.1: Stephen Frost <sfrost@snowman.net>.  http://snowman.net/projects/ipt_recent/.
复制代码
可惜没能弄懂什么意思，哪位能讲一下.？.


最佳答案wysilly
http://upload.bbs.csuboy.com/Mon_1004/126_6774_c2515fb4e40125e.gif[/img]iptables -A INPUT -p TCP --dport 22 \健康
    -m recent --.name ROUTER-SSH --set -j. ACCEPT(        游戏          )
这句目的为生成一个名为RO.UTER-SSH的recent.表.           建材

ipta.bles -A INPUT -p TCP --dport 22 .\.
    -m. recent --name ROUTER-SSH --update. --hitcount 5 --seconds 180 -j DROP虚拟主机
目的为在持续的180秒,.命中多于5次的连接就被d.rop掉.就是只允许在180秒内同一个ip只能有5个ssh的连接.          婚庆


不过这两.句好像写的也不怎么对.           鲜花

iptabl.es -A INPUT -p tcp --dport 22 -m stat.e --state NEW -m recent --name ROUTER-SSH  --update --.seconds 1800 --.hitcount 5 -j DROP.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name R.OUTER-SSH .--set .-j ACCEPT.

我觉得这样更好.下面的这个man说的比较清.楚.           女人


QUOTE:recent
       Allows you to dynamically create a list of. IP addresses and then. mat.ch against that list  in  a  few  different<性病>
       ways.

       .For  example,  y.ou  can create a `badguy' list out of people attempting to connect to port 139 o.n your firewall教育
.      and then DROP all fut.ure packets from them without considering them.外贸

       -.-name name健康
              Sp.ecify the list to use for the commands. If no name is given then 'DEFAULT'. will be used..            杀毒

       [!] .--set[成人用品]
              This wi.ll add the source address of the packet to the list.. If. the source  address  is  already  in  the(        游戏          )
              list,  this will up.date the existing ent.ry. This will always return success (or failure if `!' is .passed.
   .           in).             汽车

     .  [!] --rcheck    外汇
         .     Check if the source add.ress of the p.acket is currently in the list.学习

       [!] --upda.te服务器
             . Like --rch.eck, except it will update the "last seen" timestamp if it .matches..

       [!] --remov.e[成人用品]
              Check i.f the source. address of the packet is currently .in the list  and  if  so  that  address  will  be域名
              removed from the list and the rul.e wil.l return true. If the address is not found,. false is returned.          婚庆

       [!] --secon.ds s.econds           女人
     .     .    This  option  must  be used in conjunction with .one of --rcheck or --update. When used, this will narrow           建材
              the match to only happen when the address i.s in the list a.nd was seen within the last  given  number  o.f    健康
.             seconds.虚拟主机

       [!] --hitcount hi..ts            杀毒
           .   This  option  must  be. used in conjunction with one of --rcheck or --update. When used, this will narr.ow<性病>
  .            the match to only happen when the a.ddress is in the list and pack.ets had been received greater  than  or虚拟主机
              equal  to the given value. This op..tion may be used along with --seconds to create an even narrower mat.ch(        游戏          )
      .        r.equiring a certai.n number of hits within a specific time frame.           建材

       --.rttl This option must be used in c.onjunction with one of --rcheck or --update. When u.sed,  this  will  narrow.
          .    the  match to only happen when the address is in the list and the. TTL of the current packet matches .that.
            .  of the packet which hi.t the --set rule. This may be useful if you have problems with peo.ple faking their教育
              source  address in order to DoS you via this module by disa.llo.wi.ng others access to your site by sending            杀毒
   .           bogus packets to y.ou.服务器


cat. /proc/net/ipt_recent/ROU.TER-SSH学习
类似
src=192.168.1.2 ttl: 63 last_seen: 44747.58176 oldest_pkt: 6 last_pk.ts:  44.74758176, 4474758176, 4474758176, 4474758176, 4474758176, 4474.75817.1,. 4474758171, 4474758171, 4474758171, 4474758171, 447475817.1, 4474758171, 4474758172, 4474758172, 4474758176, 4474758176, 4474758176, 4474758176, 4474758176.
last_pkts后为.最近通过的packet的时间.oldest_pkt为已经记录的过的packet数.大概就是这样了,应该很.容易明白了.

[ 本.帖最后由 wysilly 于. 2007-6-10 13:24 编辑 ]电脑

iptables -A INPUT -p TCP --dport 22 \
    -m recent --name ROUTER-SSH --set -j ACCEPT
这句目的为生成一个名为ROUTER-SSH的recent表.

iptables -A INPUT -p TCP --dport 22 \
    -m recent --name ROUTER-SSH --update --hitcount 5 --seconds 180 -j DROP
目的为在持续的180秒,命中多于5次的连接就被drop掉.就是只允许在180秒内同一个ip只能有5个ssh的连接.


不过这两句好像写的也不怎么对.

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ROUTER-SSH  --update --seconds 1800 --hitcount 5 -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ROUTER-SSH --set -j ACCEPT

我觉得这样更好.下面的这个man说的比较清楚.


QUOTE:recent
       Allows you to dynamically create a list of IP addresses and then match against that list  in  a  few  different
       ways.

       For  example,  you  can create a `badguy' list out of people attempting to connect to port 139 on your firewall
       and then DROP all future packets from them without considering them.

       --name name
              Specify the list to use for the commands. If no name is given then 'DEFAULT' will be used.

       [!] --set
              This will add the source address of the packet to the list. If the source  address  is  already  in  the
              list,  this will update the existing entry. This will always return success (or failure if `!' is passed
              in).

       [!] --rcheck
              Check if the source address of the packet is currently in the list.

       [!] --update
              Like --rcheck, except it will update the "last seen" timestamp if it matches.

       [!] --remove
              Check if the source address of the packet is currently in the list  and  if  so  that  address  will  be
              removed from the list and the rule will return true. If the address is not found, false is returned.

       [!] --seconds seconds
              This  option  must  be used in conjunction with one of --rcheck or --update. When used, this will narrow
              the match to only happen when the address is in the list and was seen within the last  given  number  of
              seconds.

       [!] --hitcount hits
              This  option  must  be used in conjunction with one of --rcheck or --update. When used, this will narrow
              the match to only happen when the address is in the list and packets had been received greater  than  or
              equal  to the given value. This option may be used along with --seconds to create an even narrower match
              requiring a certain number of hits within a specific time frame.

       --rttl This option must be used in conjunction with one of --rcheck or --update. When used,  this  will  narrow
              the  match to only happen when the address is in the list and the TTL of the current packet matches that
              of the packet which hit the --set rule. This may be useful if you have problems with people faking their
              source  address in order to DoS you via this module by disallowing others access to your site by sending
              bogus packets to you.


cat /proc/net/ipt_recent/ROUTER-SSH
类似
src=192.168.1.2 ttl: 63 last_seen: 4474758176 oldest_pkt: 6 last_pkts:  4474758176, 4474758176, 4474758176, 4474758176, 4474758176, 4474758171, 4474758171, 4474758171, 4474758171, 4474758171, 4474758171, 4474758171, 4474758172, 4474758172, 4474758176, 4474758176, 4474758176, 4474758176, 4474758176
last_pkts后为最近通过的packet的时间.oldest_pkt为已经记录的过的packet数.大概就是这样了,应该很容易明白了.

[ 本帖最后由 wysilly 于 2007-6-10 13:24 编辑 ]

不过很奇怪，抛开 -m state --state NEW 暂时不谈，我仅用 -m recent --name ROUTER-SSH  --update --seconds 180 --hitcount 5 -j DROP 也仍然不能实现阻断
我的测试方法是在 client 端用 telnet 不断去连接测试的，不知我的测试方法是否有问题？

我想可能是顺序问题.drop应在accept之前,下面是我的测试脚本和结果.


QUOTE:iptables -A INPUT -p tcp --dport 22 -m recent --name ROUTER-SSH  --update --seconds 1800 --hitcount 5 -j DROP
iptables -A INPUT -p tcp --dport 22  -m recent --name ROUTER-SSH --set -j ACCEPT

test.bash
#!/bin/bash
for i in `seq 1 20` ; do
echo 'quit' | telnet 192.168.1.1 22 ;
done

结果
Trying 192.168.1.1...
Connected to 192.168.1.1 (192.168.1.1).
Escape character is '^]'.
SSH-2.0-OpenSSH_4.5
Connection closed by foreign host.
Trying 192.168.1.1... (在此不执行了)

cat /proc/net/ipt_recent/ROUTER-SSH
src=192.168.1.2 ttl: 49 last_seen: 4477286012 oldest_pkt: 5 last_pkts: 4477285901, 4477285954, 4477285954, 4477286012, 4477286012


可以看到结果与预想的一样.

[ 本帖最后由 wysilly 于 2007-6-10 20:27 编辑 ]

现在可以了，之前不行的原因是我没弄懂这个模块的用法，没明白 --set 的那句 ACCEPT 的意思，没有加上，所以不会记录时间

谢谢 wysilly

[ 本帖最后由 platinum 于 2007-6-10 20:59 编辑 ]

贪财,贪财,赚分,赚分,呵呵.

学了一招。



QUOTE:原帖由 wysilly 于 2007-6-10 20:51 发表于 6楼  
贪财,贪财,赚分,赚分,呵呵.

两位高手，写一个总结性的文档吧。大家都学习一下。

可否讨论一下这个功能的具体实用案例，也就是说在什么时候可以用到这个模块。

譬如

iptables -A FORWARD -p tcp --dport 80 -m recent --name ROUTER-HTTP  --update --seconds 180 --hitcount 5 -j DROP
iptables -A FORWARD -p tcp --dport 80  -m recent --name ROUTER-HTTP--set -j ACCEPT

能否实现 每个ip在180秒内只允许建立5个连接？

加上-m state --state NEW 可以,不加是180秒内5个包.呵呵,这样大家都不用访问了.