[CentOS] Problems with IPTABLES recent module.

Barry Brimer lists at brimer.org
Fri Jan 8 20:52:53 UTC 2010


Quoting "James B. Byrne" <byrnejb at harte-lyne.ca>:

> I went to reload (iptables-restore) my iptables configuration and
> obtained an error at the COMMIT statement.  No further details were
> provided even when I ran restore with the -v option.
>
> I determined that none of my backed up configuration files going
> back to October will load either.  This is more than passing strange
> because I altered and uploaded the iptables configuration on this
> host several times in December alone.  These alterations certainly
> applied without error at the time.
>
> Through painful trial and error (it is a fairly large configuration)
> I discovered that I cannot add any rule using the __recent__ module.
>  Adding a single rule referencing that module inevitably results in
> a load error reported at the following COMMIT statement.  An example
> of an actual rule that fails follows:
>
> .  .  .
> :BRUTE_FORCE - [0:0]
> .  .  .
> -A BRUTE_FORCE -p tcp -m tcp -m state -m recent --set -i eth0
> --dport 22 --state NEW
> -A BRUTE_FORCE -m comment -j RETURN --comment "Return to calling chain"
> COMMIT
>
> Perhaps I am missing something obvious but as far as I can determine
> the rule using the recent module should simply add all traffic
> coming in over i/f eth0 consigned to port 22 on any ip-addr to the
> DEFAULT list.  I do not expect it to give an error.  If I remove
> this statement then the iptables file loads without error.
>
> An interesting thing happens if I simply add a trailing -j to the
> end of recent module rule above.  It fails with this specific error:
>
> -c packet counter not numeric
>
> Does anyone see what I am doing wrong?

I don't think you need the -m state ..

>From the iptables man page ...

              # iptables -A FORWARD -m recent --name badguy --rcheck --seconds
              60 -j DROP

              # iptables -A FORWARD -p tcp  -i  eth0  --dport  139  -m  recent
              --name badguy --set -j DROP

Barry


More information about the CentOS mailing list