3

Let's say I have the following rules:

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m recent --set --name counting1 --rsource 
iptables -A INPUT -m recent --update --seconds 60 --hitcount 2 --name counting1 --rsource -j LOG --log-prefix "SSH  ataque " 
iptables -A INPUT -m recent --update --seconds 60 --hitcount 2 --name counting1 --rsource -j RETURN 
-A INPUT -j ACCEPT

I have read the manual but I still don't understand exactly in what cases it's preferred either --rcheck or --update option... does update mean that the hitcount is reset to 0 and restart the (as in the above example) the 60 seconds?

Please bear in mind that these rules are only en example to expose this question.

Usama Abdulrehman
  • 179
  • 1
  • 9
sebelk
  • 682
  • 4
  • 13
  • 32

2 Answers2

3

From the man page of iptables:

   [!] --rcheck
          Check if the source address of the packet is  currently  in  the
          list.

   [!] --update
          Like  --rcheck,  except it will update the "last seen" timestamp
          if it matches.

So, using update will not reset the hitcount, it will (re)set the last seen timestamp. The following is said about --seconds:

   --seconds seconds
          This  option must be used in conjunction with one of --rcheck or
          --update. When used, this will narrow the match to  only  happen
          when  the  address  is  in the list and was seen within the last
          given number of seconds.

That means using --rcheck makes the rule to match only the time interval scecified in the rule (e.g. with --seconds) at a time, while using --update will extend the time interval the rule is being matched if matching packets are encountered during the interval.

So, if there is a matching packet every 45 secs the example rules shown in the question will keep on logging the packets and returning from the chain. OTOH if --rcheck had been used, every second packet would not be matched (as the 60 sec interval for two matching packets has expired).

zagrimsan
  • 327
  • 3
  • 13
1

Did not test that -- but looking at the source, I would suspect the example to work this way:

  1. --set adds the ip address and increases the hitcount ;
  2. first "LOG" --update checks if hitcount is 2 or more and increases it, if so ;
  3. next "RETURN" --update tests it again and again increases it, if matched.
So for any new matching packet:
  • if there were no hits before -- we pass, and hitcount gets increased to 1 ;
  • if there was 1 recent hit -- we stop, and hitcount is increased by 3 and becomes 4.

On the other hand, --rcheck would not have increased the hitcount, so it would have been increased only by --set once, and then checked by each following rule:

  • for no previous hits -- same as before ;
  • for one previous hit -- set increases the recent hitcount, and we are stopped ; the resulting recent hitcount is 2.
In conclusion -- I would probably go as follows:
  • use --set after --update or --rcheck ;
  • use --rcheck for LOG rules ;
  • use --update for DROP/ACCEPT/RETURN rules .

Hope that helps.

ジョージ
  • 1,008
  • 8
  • 8