From: "per j" <perj8@hotmail.com>
To: netfilter@lists.netfilter.org
Subject: ipt_recent 0.2.3/0.2.7 --rttl doesn't work
Date: Tue, 04 Feb 2003 23:39:28 +0000 [thread overview]
Message-ID: <F130IeK7IiGUpNfpjAn0000c4a5@hotmail.com> (raw)
--rttl function in ipt_recent doesn't work. It's supposed to match every
single packet with the same ip address and ttl value. Wierd thing is it
produces a match maybe once every 1000 packets with the same ip address and
ttl.
I get the same ip address with the same TTL value in the logs. I've also
tested this by using another computer with a stable connection (ie. same ip
address and same ttl). -m recent with --rttl doesn't match any of the
packets from that computer, but -m recent without --rttl matches.
I upgraded to ipt_recent 0.2.7 from 0.2.3 and the problem is not solved.
Can you post a fix?
I'm using vanilla kernel 2.0.43 with patches from patch-o-matic CVS
(Jan24,2003), openmosix, super-freeS/WAN, ipt_recent 0.2.7
(ipt_recent-0.2.6.tar.gz). And netfilter stuff all built as modules.
Already applied: submitted/01_2.4.19
submitted/02_2.4.20
base/iplimit
base/mport
base/nth
base/quota
base/random
base/time
base/TTL
extra/h323-conntrack-nat
extra/ipt_TARPIT
extra/mms-conntrack-nat
extra/recent
I've also removed ipt_TTL from all chains in my iptables and it had no
effect.
Here are the rules in my iptables 1.2.7a:
INPUT chain (default DROP):
-j ACCEPT -i ppp0 --state ESTABLISHED,RELATED
-j DROP -i ppp0 -m recent --update --rttl --name recentDropBox
-j LOG -i ppp0 --log-prefix recentDropBox -m limit
-j DROP -i ppp0 -m recent --set --name recentDropBox
I attempt to telnet to port 137 on this box from a computer on the internet
(ppp0) and I see in /var/log/messages:
Feb 4 12:16:11 router kernel: recentDropBoxIN=ppp0 OUT= MAC=
SRC=24.238.110.10
DST=24.239.135.221 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=10436 DF PROTO=TCP
SPT=3
936 DPT=137 WINDOW=8760 RES=0x00 SYN URGP=0
Feb 4 12:16:14 router kernel: recentDropBoxIN=ppp0 OUT= MAC=
SRC=24.238.110.10
DST=24.239.135.221 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=10443 DF PROTO=TCP
SPT=3
936 DPT=137 WINDOW=8760 RES=0x00 SYN URGP=0
As you can see in the log entries above it's the same source ip address and
same TTL value within 3 seconds. Obviously the DROP rule with -m recent
--update --rttl did not match which produces duplicate log entries.
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
next reply other threads:[~2003-02-04 23:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-04 23:39 per j [this message]
2003-02-05 2:53 ` ipt_recent 0.2.3/0.2.7 --rttl doesn't work Stephen Frost
2003-02-05 3:20 ` Arnt Karlsen
-- strict thread matches above, loose matches on Subject: below --
2003-02-05 15:01 Paul E R J
2003-02-05 13:19 Paul E R J
2003-02-04 17:35 per j
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F130IeK7IiGUpNfpjAn0000c4a5@hotmail.com \
--to=perj8@hotmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.