Iptables – How does iptables –hitcount collect its values

iptables

Im looking at SSH bruteforce prevention with iptables recent module.

I would like to know how does the –hitcount collect the value that it will use? Is it bytes, packets, no. of conntracked items or something else?

thanks!

Jonathan

Best Answer

--rcheck --hitcount checks the value of an internal counter which is incremented by one for each hit on a -m recent --set (or --update) rule of the same --name. Rules are evaluated in the context of packets, so the number of packets is the tracked quantity. This from the man page for iptables on my CentOS 6 system:

   --hitcount hits
[...] When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value.

Related Solutions

Iptables “recent” module – setting module parameters

If you load the module by hand, you just add it to the modprobe command line:

modprobe ipt_recent param1=val1 param2=val2

Otherwise, if it's being loaded automatically, you can create a file in /etc/modprobe.d, say /etc/modprobe.d/ipt_recent, with contents of:

options ipt_recent param1=val1 param2=val2

Which will do the same thing as the modprobe line above.

Linux – How to log all traffic with its exact length

tcpdump isn't guaranteed to process all packets. There's some buffering, but if the rate of packets crossing the network interface is faster than the rate at which your CPU can run them through tcpdump, the kernel starts dropping packets. The higher the demand on the CPU, and the higher the network traffic rate, the higher the propensity for dropping (it's impossible to be specific, you'll have to test this on your systems to find out where the drop threshold is).
Offhand, I don't know.

As for better ways, the term you want is "traffic accounting". This is built into IPTables, so any modern Linux distro should support it out-of-the-box. In short, a few simple "pass-through" IPTables rules can give you the total bytes transfered, in real time, for just about any specified traffic types (broken down by proto, port, IP, etc., or not) that you want.

There's a great walk-through, with specific commands, here: http://www.catonmat.net/blog/traffic-accounting-with-iptables

This should be much more lightweight and reliable than tcpdump, since Netfilter handles it entirely in the kernel, and the kernel has the packet length info, anyway.

Best Answer

Related Solutions

Iptables “recent” module – setting module parameters

Linux – How to log all traffic with its exact length

Related Topic