Ubuntu: Iptables rule matching



Question:

There is a BAN chain with this rule:

-A BAN -m recent --name ping --rcheck --seconds 5 --hitcount 3 --rsource  -j RETURN  

it will match when there will be 2 pings in 5 seconds but if i add remove addresses from ping list which didn't match this upper rule will never match why ?

-A BAN -m recent --name ping --remove  


Solution:1

Since your first rule doesn't trigger until the third time it has been traversed and your second rule deletes the table entry entirely, the first rule will only ever observe what it thinks is the first packet from that IP address.

Do not use the "remove" rule, and the "ping" table will be managed just fine.

EDIT: Here is one way to use iptables and the recent module to have a different ban time than the time to become banned. I have used 5 pings in 10 seconds as the ban criteria and only 120 seconds ban time (just to make it easier to check).

#!/bin/sh  FWVER=0.01  #  # ping_then_block Smythies 2018.02.05 Ver:0.01  #       An iptables recent module example of how to make the  #       ban time differ from the time to become banned.  #  #       See here:  #       https://askubuntu.com/questions/1002958/iptables-rule-matching  #  #       run as sudo  #    echo "Loading ping_then_block $FWVER..\n"    # The location of the iptables program  #  IPTABLES=/sbin/iptables    #Setting the EXTERNAL and INTERNAL interfaces and addresses for the network  #  # Smythies (for testing)  EXTIF="enp9s0"  EXTIP="192.168.111.104"  NETWORK="192.168.111.0/24"    UNIVERSE="0.0.0.0/0"    #Clearing any previous configuration  #  echo "  Clearing any existing rules and setting default policies.."  $IPTABLES -P INPUT ACCEPT  $IPTABLES -F INPUT  $IPTABLES -P OUTPUT ACCEPT  $IPTABLES -F OUTPUT  $IPTABLES -P FORWARD ACCEPT  $IPTABLES -F FORWARD  # Otherwise, I can not seem to delete it later on  $IPTABLES -F ping-check  $IPTABLES -F ping-ban  # Delete user defined chains  $IPTABLES -X  # Reset all IPTABLES counters  $IPTABLES -Z    #######################################################################  # USER DEFINED CHAIN SUBROUTINES:  #  # ping-ban  #  # An ICMP echo request packet source IP address needs to added to  # the bad guy list  #  # Custom tables must exist before being referenced, hence the order  # of these sub-routines.  #  $IPTABLES -N ping-ban    $IPTABLES -A ping-ban -m recent --update --hitcount 1 --seconds 120 --name PING_BAN -j DROP  $IPTABLES -A ping-ban -m recent --set --name PING_BAN  $IPTABLES -A ping-ban -j DROP    #######################################################################  # USER DEFINED CHAIN SUBROUTINES:  #  # ping-check  #  # An ICMP echo request packet has arrived and the source IP  # address is either not on the bad guy list, or is but the penalty  # period criteria has been met.  #  # Check if the IP needs to be added to the bad guy list, and  # drop it if it does.  #  # Custom tables must exist before being referenced, hence the order  # of these sub-routines.  #  $IPTABLES -N ping-check    $IPTABLES -A ping-check -m recent --update --hitcount 5 --seconds 10 --name PING_TABLE -j ping-ban  $IPTABLES -A ping-check -m recent --set --name PING_TABLE  $IPTABLES -A ping-check -j ACCEPT    #  # If you are on the bad guy list, then you are banned.  #  $IPTABLES -A INPUT -i $EXTIF -m recent --update --seconds 120 --name PING_BAN -j LOG --log-prefix "BANPING:" --log-level info  $IPTABLES -A INPUT -i $EXTIF -m recent --update --seconds 120 --name PING_BAN -j DROP    #  # All ICMP? Or just ECHO requests?  #  $IPTABLES -A INPUT -i $EXTIF -p ICMP --icmp-type echo-request -s $UNIVERSE -d $EXTIP -j ping-check    $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -m state --state ESTABLISHED,RELATED -j ACCEPT    echo ping_then_block rule set version $FWVER done.  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »