[CentOS] to filter dos ip using iptables recent

Sun Aug 16 10:55:46 UTC 2009
Ned Slider <ned at unixmail.co.uk>

MontyRee wrote:
> Hello, all.
>  
> I read this document about iptables recent module.
> http://blog.andrew.net.au/2005/02/16#ipt_recent_and_ssh_attacks
>  
> and I would like to filter the excessive spam mail sending ip address by iptables recent module.
> and some questions.
>  
> iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set --name SPAM
> iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SPAM -j DROP
> 
>  
> If I set like above, 
>  
> I can't understand the meaning of the hitcount.
> it means the number of a packet, session or connection?
>  

Maybe the manpage will help:

--hitcount hits
This option must be used in conjunction with one of --rcheck or
--update. When used, this will narrow the match to only happen when the
address is in the list and packets had been received greater than or
equal to the given value. This option may be used along with --seconds
to create an even narrower match requiring a certain number of hits
within a specific time frame.

> above rule means if 4 connection for 60 seconds, the ip will be filtered for 60 seconds, right? 
>  

Nearly, but there is no timeframe implication on the filtering. It
simply decides whether the given packet matches the rule and takes the
appropriate action. The timeframe comes from whether (or not) there have
been 4 or more connection attempts from that IP in the previous 60 seconds.

> if some ip was filtered, how long will be filtered? for 60 seconds?
>  

See above - it's the previous 60 second timeframe you are looking at.