question on recent module

question on recent module

[Leonardo Rodrigues ( listas )]

    Hello Guys,

    I'm trying to setup recent module for doing some great things here :)
Basically what I want is. Match some kind of traffic and, if that happens,
traffic for that source address will be completly and silently dropped. All
examples of recent module I found were used on FORWARD chain, which is not
my case, as machine running recent will be the final destination of the
connection.

    So, seems I'm successfully matching packets I need (
/proc/net/ipt_recent/myrulename ) is created and sources are being added
there. What I need now is: how can I make a rule on filter OUTPUT to DROP
all traffic if the source address was matched by recent module ? As I read,
I can only check recent matches against source address ( --rcheck ). In
OUTPUT chain, source address is my own address and the address I need to
match is the DESTINATION one.

    Can recent module help me in this situation ? Hope you understood it.

    Anyway, thanks for your attention :)

    Sincerily,
    Leonardo Rodrigues

Re: question on recent module

[Stephen Frost]

[-- Attachment #1: Type: text/plain, Size: 1356 bytes --]

* Leonardo Rodrigues ( listas ) (leolistas@solucoesip.net) wrote:
>     I'm trying to setup recent module for doing some great things here :)
> Basically what I want is. Match some kind of traffic and, if that happens,
> traffic for that source address will be completly and silently dropped. All
> examples of recent module I found were used on FORWARD chain, which is not
> my case, as machine running recent will be the final destination of the
> connection.
> 
>     So, seems I'm successfully matching packets I need (
> /proc/net/ipt_recent/myrulename ) is created and sources are being added
> there. What I need now is: how can I make a rule on filter OUTPUT to DROP
> all traffic if the source address was matched by recent module ? As I read,
> I can only check recent matches against source address ( --rcheck ). In
> OUTPUT chain, source address is my own address and the address I need to
> match is the DESTINATION one.
> 
>     Can recent module help me in this situation ? Hope you understood it.
> 
>     Anyway, thanks for your attention :)

Using the latest versions of ipt_recent you can match against the
destination IP address.  I know it's not very clear, but you can use
--rdest in a 'check' rule too, and it will take the destionation IP
address of the packet and look it up in the recent list.

	Stephen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: question on recent module

[Leonardo Rodrigues ( listas )]

    It's really not clear for me :) Could you give an example rule of how an
destination address could be checked with recent module in an OUTPUT rule
for example ? This is my situation ..... i want ALL packets whose
destination was matched for the last 60 seconds in a recent list called
'bullshit'.

iptables -A OUTPUT -m recent --seconds 60 --name bullshit ??????????????? -j
DROP

    Sincerily,
    Leonardo Rodrigues

----- Original Message -----
From: "Stephen Frost" <sfrost@snowman.net>
To: "Leonardo Rodrigues ( listas )" <leolistas@solucoesip.net>
Cc: "netfilter ML" <netfilter@lists.samba.org>
Sent: Friday, January 24, 2003 10:33 PM
Subject: Re: question on recent module


Using the latest versions of ipt_recent you can match against the
destination IP address.  I know it's not very clear, but you can use
--rdest in a 'check' rule too, and it will take the destionation IP
address of the packet and look it up in the recent list.

 Stephen

* Leonardo Rodrigues ( listas ) (leolistas@solucoesip.net) wrote:
>     I'm trying to setup recent module for doing some great things here :)
> Basically what I want is. Match some kind of traffic and, if that happens,
> traffic for that source address will be completly and silently dropped.
All
> examples of recent module I found were used on FORWARD chain, which is not
> my case, as machine running recent will be the final destination of the
> connection.
>
>     So, seems I'm successfully matching packets I need (
> /proc/net/ipt_recent/myrulename ) is created and sources are being added
> there. What I need now is: how can I make a rule on filter OUTPUT to DROP
> all traffic if the source address was matched by recent module ? As I
read,
> I can only check recent matches against source address ( --rcheck ). In
> OUTPUT chain, source address is my own address and the address I need to
> match is the DESTINATION one.
>
>     Can recent module help me in this situation ? Hope you understood it.
>
>     Anyway, thanks for your attention :)

Re: question on recent module

[Stephen Frost]

* Leonardo Rodrigues ( listas ) (leolistas@solucoesip.net) wrote:
> 
> 
>     It's really not clear for me :) Could you give an example rule of how an
> destination address could be checked with recent module in an OUTPUT rule
> for example ? This is my situation ..... i want ALL packets whose
> destination was matched for the last 60 seconds in a recent list called
> 'bullshit'.
> 
> iptables -A OUTPUT -m recent --seconds 60 --name bullshit ??????????????? -j
> DROP

--rdest for the rule above, that's it.  Note that something else needs
to actually populate that table, but I think you've got that figured out
already...

	Stephen

Re: question on recent module

[Leonardo Rodrigues ( listas )]

    tried: iptables -A OUTPUT -m recent --seconds 60 --name
bullshit --rdest -j DROP
iptables v1.2.7a: recent: you must specify one of `--set', `--check'
`--update' or `--remove'

    tried adding --check according to error I received, because I want just
checking and not including/updating/excluding:
iptables -A OUTPUT -m recent --seconds 60 --name bullshit --rdest --check -j
DROP
iptables v1.2.7a: Unknown arg `--check'

    OK, seems recent module doesnt have the --check option despite the 1st
rule error message :) Watching 'iptables -m recent --help' i think I should
be using --rcheck .... let's try ....

iptables -A OUTPUT -m recent --seconds 60 --name
bullshit --rdest --rcheck -j DROP

    And it works !! :))

    Stephen, thanks very much for your help and, just in case, please
correct the error message ( --check to --rcheck stuff ).

    Sincerily,
    Leonardo Rodrigues

----- Original Message -----
From: "Stephen Frost" <sfrost@snowman.net>
To: "Leonardo Rodrigues ( listas )" <leolistas@solucoesip.net>
Cc: "netfilter ML" <netfilter@lists.samba.org>
Sent: Saturday, January 25, 2003 4:21 PM
Subject: Re: question on recent module


> * Leonardo Rodrigues ( listas ) (leolistas@solucoesip.net) wrote:
> >
> >     It's really not clear for me :) Could you give an example rule of
how an
> > destination address could be checked with recent module in an OUTPUT
rule
> > for example ? This is my situation ..... i want ALL packets whose
> > destination was matched for the last 60 seconds in a recent list called
> > 'bullshit'.
> >
> > iptables -A OUTPUT -m recent --seconds 60 --name bullshit
??????????????? -j
> > DROP
>
> --rdest for the rule above, that's it.  Note that something else needs
> to actually populate that table, but I think you've got that figured out
> already...

Re: question on recent module

[Stephen Frost]

[-- Attachment #1: Type: text/plain, Size: 422 bytes --]

* Leonardo Rodrigues ( listas ) (leolistas@solucoesip.net) wrote:
>     And it works !! :))

Great!

>     Stephen, thanks very much for your help and, just in case, please
> correct the error message ( --check to --rcheck stuff ).

Oh, many thanks.  It used to be --check until I changed it because
something else used that (or some such, as I recall).  I must have
missed it there.  Fixed in my local version.

	Stephen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]