8

I am using iptables recent match for my work as it saves ip addresses and there last seen value which I require.

But now I need to remove some entries from the iptables recent list and those entries are there in an ipset. Can anyone tell me is it possible or not? And if yes then how can I do it?

Alexis Wilke
  • 19,179
  • 10
  • 84
  • 156
Vinay Tiwary
  • 305
  • 4
  • 12

1 Answers1

14

You can remove within iptables rules with:

... -m recent --remove ...

e.g. to remove entries with less then 5 packets / hour:

-A TEST -m recent --rcheck --seconds 3600 --hitcount 5 --rsource -j RETURN
-A TEST -m recent --remove

The first rule matches source ips with >= 5 pkts/hour and leaves TEST chain via RETURN target. The second rule removes not matched / not filtered packets ( with rate below 5 pkts/hour) from default recent list.

You can remove from userland with:

echo -addr >/proc/net/xt_recent/DEFAULT
          to remove addr from the DEFAULT list
echo / >/proc/net/xt_recent/DEFAULT
          to flush the DEFAULT list (remove all entries).

e.g. to remove ip 192.168.4.7 from default recent list:

echo -192.168.4.7 >/proc/net/xt_recent/DEFAULT

see also:

Michael Brux
  • 4,256
  • 1
  • 20
  • 21
  • Since there is `-A TEST -m recent --remove` There is no match to RETURN rule why ? – EdiD Feb 04 '18 at 14:45
  • @EdiD The `-m recent` often require a special chain to do a test and return or drop as shown here. The one rule with `-j RETURN` will prevent the remove from happening. The rule without a `-j` is never stopping processing. Processing continues on the next line. If in a chain, it will automatically return anyway. – Alexis Wilke Oct 14 '22 at 13:08