-m recent

-m recent

[uniplex]

Has anyone here had any luck with this?

It's logging the ip and ttl etc etc in the file it's supposed to, but 
the --update -j DROP rule I'm using doesn't seem to have any effect.

Here's a snip of rules from my script that I've been using to test with. 
I've put them in the same order as they appear in the script. It's not 
the entire script(of coarse) and I'm matching to icmp packets just to 
test with.

iptables -A INPUT -i eth0 -p all -m recent --name icmps --update -j DROP

iptables -N icmps
iptables -A INPUT -i eth0 -p icmp -j icmps
iptables -A icmps -m recent --name icmps --set -j DROP
iptables -A icmps -j DROP

Thanks in advance.

Re: -m recent

[uniplex]

Stephen Frost wrote:

>>iptables -A INPUT -i eth0 -p all -m recent --name icmps --update -j DROP
>>
>>iptables -N icmps
>>iptables -A INPUT -i eth0 -p icmp -j icmps
>>iptables -A icmps -m recent --name icmps --set -j DROP
>>iptables -A icmps -j DROP
> 
> 
> This looks good to me..  Can you tell me what version of ipt_recent
> you're using?  An old version had a bug where the --name only worked
> when it was the last option, that may be the problem.
> 
> 	Stephen

Hey Stephen,

How can I tell what version of ipt_recent I have? I downloaded the 
latest version of patch-o-matic and installed your patch from there.

I tried using --name in different places but it still doesn't seem to 
work for whatever reason. Here's what I've tested with now.

iptables -A INPUT -i eth0 -p all -m recent --update -j DROP --name icmps

iptables -N icmps
iptables -A INPUT -p icmp -i eth0 -j icmps
iptables -A icmps -m limit --limit 2/hour --limit-burst 1 -j LOG 
--log-level alert --log-prefix "icmp: "
iptables -A icmps -m recent --set -j DROP --name icmps
iptables -A icmps -j DROP

Thanks.

Re: -m recent

[Stephen Frost]

[-- Attachment #1: Type: text/plain, Size: 998 bytes --]

* uniplex (uniplex@maximum-linux.net) wrote:
> Has anyone here had any luck with this?

It works for me and I use it, though, well, I wrote it too, so.. :)

> It's logging the ip and ttl etc etc in the file it's supposed to, but 
> the --update -j DROP rule I'm using doesn't seem to have any effect.
> 
> Here's a snip of rules from my script that I've been using to test with. 
> I've put them in the same order as they appear in the script. It's not 
> the entire script(of coarse) and I'm matching to icmp packets just to 
> test with.
> 
> iptables -A INPUT -i eth0 -p all -m recent --name icmps --update -j DROP
> 
> iptables -N icmps
> iptables -A INPUT -i eth0 -p icmp -j icmps
> iptables -A icmps -m recent --name icmps --set -j DROP
> iptables -A icmps -j DROP

This looks good to me..  Can you tell me what version of ipt_recent
you're using?  An old version had a bug where the --name only worked
when it was the last option, that may be the problem.

	Stephen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: -m recent

[Stephen Frost]

[-- Attachment #1: Type: text/plain, Size: 1444 bytes --]

* uniplex (uniplex@maximum-linux.net) wrote:
> How can I tell what version of ipt_recent I have? I downloaded the 
> latest version of patch-o-matic and installed your patch from there.
> 
> I tried using --name in different places but it still doesn't seem to 
> work for whatever reason. Here's what I've tested with now.
> 
> iptables -A INPUT -i eth0 -p all -m recent --update -j DROP --name icmps
> 
> iptables -N icmps
> iptables -A INPUT -p icmp -i eth0 -j icmps
> iptables -A icmps -m limit --limit 2/hour --limit-burst 1 -j LOG 
> --log-level alert --log-prefix "icmp: "
> iptables -A icmps -m recent --set -j DROP --name icmps
> iptables -A icmps -j DROP

It'd be before the -j DROP to see if that fixes it.  Recent versions of
ipt_recent will print out to your kernel log (which you can usually see
via dmesg) what version of ipt_recent it is.  If you're not seeing that
then you probably want to try and get a later version.  The latest
'released' version is on my website,
http://snowman.net/projects/ipt_recent/ .  There have been a number of
bug fixes, however, and so if you want to try my current 'beta' you can
download it from:
http://snowman.net/projects/ipt_recent/ipt_recent-0.2.6.tar.gz .
I've had alot of good responses to the beta so I'm planning on
releasing it when I have some time to do the 'paperwork'.  My son was
born a week ago and I'm still pretty busy with him tho. :)

	Stephen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: -m recent

[uniplex]

Stephen Frost wrote:

> It'd be before the -j DROP to see if that fixes it.  Recent versions of
> ipt_recent will print out to your kernel log (which you can usually see
> via dmesg) what version of ipt_recent it is.  If you're not seeing that
> then you probably want to try and get a later version.  The latest
> 'released' version is on my website,
> http://snowman.net/projects/ipt_recent/ .  There have been a number of
> bug fixes, however, and so if you want to try my current 'beta' you can
> download it from:
> http://snowman.net/projects/ipt_recent/ipt_recent-0.2.6.tar.gz .
> I've had alot of good responses to the beta so I'm planning on
> releasing it when I have some time to do the 'paperwork'.  My son was
> born a week ago and I'm still pretty busy with him tho. :)
> 
> 	Stephen

Congrats! :)

I found this in dmesg

ipt_recent v0.2.3: Stephen Frost <sfrost@snowman.net>. 
http://snowman.net/projects/ipt_recent/

Do you know where I can find a guide or howto for installing your patch? 
I'm not to swoft with those types of things, I've used patch and diff 
only one time that I can remember.

Thanks.

Re: -m recent

[Fabrice MARIE]

Hello,

On Friday 24 January 2003 10:03, uniplex wrote:
> [...]
> Congrats! :)
> I found this in dmesg
> ipt_recent v0.2.3: Stephen Frost <sfrost@snowman.net>.
> http://snowman.net/projects/ipt_recent/
> Do you know where I can find a guide or howto for installing your patch?
> I'm not to swoft with those types of things, I've used patch and diff
> only one time that I can remember.

Hope this will help:
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html

Have a nice day,

Fabrice.
--
Fabrice MARIE

"Silly hacker, root is for administrators"
       -Unknown

Re: -m recent

[Stephen Frost]

[-- Attachment #1: Type: text/plain, Size: 1002 bytes --]

* uniplex (uniplex@maximum-linux.net) wrote:
> Congrats! :)

Thanks. :)

> I found this in dmesg
> 
> ipt_recent v0.2.3: Stephen Frost <sfrost@snowman.net>. 
> http://snowman.net/projects/ipt_recent/

Ok, yeah, that's a kind of old one.  I think you should try 0.2.6,
honestly.

> Do you know where I can find a guide or howto for installing your patch? 
> I'm not to swoft with those types of things, I've used patch and diff 
> only one time that I can remember.

If you want to install using one of the tarballs I've created it's
pretty simple.  Patch your kernel using the patch-o-matic as normal.
Then uncompress/untar the tarball you downloaded and copy the
ipt_recent.h and ipt_recent.c from the tarball over the ones that now
exist in your Linux kernel tree (from the patch-o-matic).  You can also
overwrite the libipt_recent.c that is in the extensions directory with
the one from the tarball.  Then compile iptables and your kernel as you
normally would.

	Stephen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: -m recent

[uniplex]

Stephen Frost wrote:

> If you want to install using one of the tarballs I've created it's
> pretty simple.  Patch your kernel using the patch-o-matic as normal.
> Then uncompress/untar the tarball you downloaded and copy the
> ipt_recent.h and ipt_recent.c from the tarball over the ones that now
> exist in your Linux kernel tree (from the patch-o-matic).  You can also
> overwrite the libipt_recent.c that is in the extensions directory with
> the one from the tarball.  Then compile iptables and your kernel as you
> normally would.
> 
> 	Stephen

Thanks Stephen, I got pretty much everything with it working now. I'm 
having a little problem with --seconds now

--seconds ! 1800 returns an error. so does --seconds \! 1800

Am I doing something wrong here?

Re: -m recent

[Stephen Frost]

[-- Attachment #1: Type: text/plain, Size: 985 bytes --]

* uniplex (uniplex@maximum-linux.net) wrote:
> Stephen Frost wrote:
> 
> >If you want to install using one of the tarballs I've created it's
> >pretty simple.  Patch your kernel using the patch-o-matic as normal.
> >Then uncompress/untar the tarball you downloaded and copy the
> >ipt_recent.h and ipt_recent.c from the tarball over the ones that now
> >exist in your Linux kernel tree (from the patch-o-matic).  You can also
> >overwrite the libipt_recent.c that is in the extensions directory with
> >the one from the tarball.  Then compile iptables and your kernel as you
> >normally would.
> >
> >	Stephen
> 
> Thanks Stephen, I got pretty much everything with it working now. I'm 
> having a little problem with --seconds now
> 
> --seconds ! 1800 returns an error. so does --seconds \! 1800
> 
> Am I doing something wrong here?

Did you try ! --seconds 1800?  I havn't had a chance to go back and look
at things, so this is just a thought. :)

	Stephen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]