关于iptables recent模块的疑问

Question

这个是recent 模块的作者写的一个例子，全文地址如下：http://snowman.net/projects/ipt_recent/
这个例子在下看了许久也没有弄明白是什么意思，恳请各位不吝赐教。

# iptables -A FORWARD -d 192.168.1.1/32 -p tcp --dport 25 -m recent --set --rsource --name SMTP_RELAY_IN -j ACCEPT
# iptables -A FORWARD -d 192.168.1.1/32 -p tcp --dport 113 -m recent --rcheck --rsource --seconds 15 --name SMTP_RELAY_OUT -j ACCEPT
# iptables -A FORWARD -s 192.168.1.1/32 -p tcp --dport 25 -m recent --set --rdest --name SMTP_RELAY_OUT -j ACCEPT
# iptables -A FORWARD -s 192.168.1.1/32 -p tcp --dport 113 -m recent --rcheck --rdest --seconds 15 --name SMTP_RELAY_IN -j ACCEPT

疑问：
1、这几个规则最终实现的结果怎样的？
2、--rsource  和 --rdest    参数是什么意思，这个man手册中也查不到

Answer 1

man iptables:
recent
       Allows you to dynamically create a list of IP addresses and then match against that list in a few different ways.

       For  example,  you  can create a "badguy" list out of people attempting to connect to port 139 on your firewall and
       then DROP all future packets from them without considering them.

       --name name
              Specify the list to use for the commands. If no name is given then DEFAULT will be used.

       [!] --set
              This will add the source address of the packet to the list. If the source address is already  in  the  list,
              this will update the existing entry. This will always return success (or failure if ! is passed in).

       --rsource
              Match/save the source address of each packet in the recent list table. This is the default.

       --rdest
              Match/save the destination address of each packet in the recent list table.

       [!] --rcheck
              Check if the source address of the packet is currently in the list.

       [!] --update
              Like --rcheck, except it will update the "last seen" timestamp if it matches.

       [!] --remove
              Check  if  the  source address of the packet is currently in the list and if so that address will be removed
              from the list and the rule will return true. If the address is not found, false is returned.

       [!] --seconds seconds
              This option must be used in conjunction with one of --rcheck or --update. When used, this  will  narrow  the
              match to only happen when the address is in the list and was seen within the last given number of seconds.

       [!] --hitcount hits
              This  option  must  be used in conjunction with one of --rcheck or --update. When used, this will narrow the
              match to only happen when the address is in the list and packets had been received greater than or equal  to
              the  given  value. This option may be used along with --seconds to create an even narrower match requiring a
              certain number of hits within a specific time frame.
说的很清楚啊！？

Answer 2

谢谢wendaozhe
我的man手册确是没有这两个参数，真是奇怪。

未命名图片.png (16.67 KB, 下载次数: 7)

下载附件

2009-12-07 21:55 上传

Answer 3

也许是你的 recent 版本过低
也许是 recent 与 man 文档版本不对应

Answer 4

回复 1# comcn2

    对LZ发的这个用法一直不是很理解！能否解疑一下！

Answer 5

有啥不懂？recent模块用于对连接数进行限制，可以限制单个IP/网段在单位时间内的连接次数

--rsource  和 --rdest分别表示源地址和目标地址