#StackBounty: #iptables #firewall iptables recent module: remove entries older than

Bounty: 150

I am using iptables recent module:

-A INPUT -m recent --rsource --name PORTSCAN --set -j DROP

The above line adds offending IP addresses to /proc/net/xt_recent/PORTSCAN.

Now I am looking for a way how to periodically (cron job) check this list, and remove entries that are older than n hours.

I am using the option xt_recent.ip_pkt_list_tot=1 with recent. That means, I don’t keep multiple times when packet was seen. I only keep the last time packet was seen.

So the list /proc/net/xt_recent/PORTSCAN looks like this:

src= ttl: 240 last_seen: 4312349727 oldest_pkt: 1 4312349727
src= ttl: 57 last_seen: 4312673918 oldest_pkt: 1 4312673918
src= ttl: 57 last_seen: 4312086204 oldest_pkt: 1 4312086204

How can I periodically "purge" this list, so that I only keep entries that are less than n hours old?

Does iptables provide some way to do this? Or does this have to me done with some custom script?

Get this bounty!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.