iptables 'recent' stuff

[Derek Atkins]

dsr at tao.merseine.nu writes:

>> If I wanted to only log attemps that result in actual DROPs, how would
>> I implement that?
>
> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW \
> -m recent --update --seconds 60 --hitcount 4 -j LOG --log-level \
> WARN --log-prefix SSH-TOO-FAST

So something like this in /etc/sysconfig/iptables would do what I
wanted?

-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 60 --hitcount 4 -j LOG --log-level WARN --log-prefix SSH-TOO-FAST
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 60 --hitcount 4 -j REJECT --reject-with icmp-host-prohibited

Wont this double-update the count, or even triple-update as 'set' will
update it as well?  Or will the --update only affect the hitcount once
per packet?  Should the log line be --rcheck instead of --update?  Or
should the REJECT line be --rcheck, on the assumption that the log
line updated the hitcount?  Or should both the log and reject lines
use --rcheck?

Question: is there some way to have a rule that if one 'recent'
check passed then I can set another one?  E.g., I'd like to be able
to do something like:

if packet matches XX, set badguy
if packet matches YY, set badguy if YY-hitcount >= 4
if packet matches ZZ, set badguy if ZZ-hitcount >= 6
if badguy, drop

I just don't know if you can have multiple "recent name" settings like
this?

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available