Bugzilla – Bug 141173
iptables recent module broken
Last modified: 2006-01-10 15:51:41 UTC
Hi, basically I have the follwing firewall rules: iptables ... ESTABLISHED,RELATED -j ACCEPT iptables -m recent --recent update ... -j DROP iptables ... -s dmz --some services --some dst -j ACCEPT iptables ... -s internal -j ACCEPT iptables ... -d non_existing_IP -m recent --recent set -j DROP iptables ... -j DROP If I send out a packet from a host in the DMZ to a non-allowed service or IP I get an entry in the /proc/net/ipt_recent/DEFAULT and all further communication from this host, even the allowed, is blocked. This should NOT happen. In the logfile I see that the last rule (DROP ALL) was hit. Anyway I get an entry in the recent table, which I have to remove manually. Very strange. Further testing is possible, if needed.
Jiri, could you look into this one, please? Thanks!
This IS the way it is supposed to work. Refer to the documentation, e.g. on http://www.stearns.org/pomlist/0.2.2-output/pom-combined.html#recent The "--recent update" rule will return TRUE, because the IP is on the list ( /proc/net/ipt_recent/DEFAULT), will update the info about the IP on the list, and will DROP the packet. It does what it's been designed for -- it blocks all packets from bad guys who tried to scan your network recently. You may want to put the "-s dmz" rule before the "--recent update" rule, or modify your rules in other ways to prevent IPs from your DMZ to be blacklisted this way.