iptables recent module usage by example
=======================================

*Statistics : /proc/net/ipt_recent*

Public domain
********************************************************************************
### icmp check: 2 packets per 10 seconds - rcheck

    iptables -F
    iptables -A INPUT -p icmp --icmp-type echo-request -m recent --rcheck --seconds 10 --hitcount 2 --name ICMPCHECK -j DROP
    iptables -A INPUT -p icmp --icmp-type echo-request -m recent --set --name ICMPCHECK -j ACCEPT

********************************************************************************
### icmp check: 2 packets per 10 seconds - update

    iptables -F
    iptables -A INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 10 --hitcount 2 --name ICMPCHECK -j DROP
    iptables -A INPUT -p icmp --icmp-type echo-request -m recent --set --name ICMPCHECK -j ACCEPT

********************************************************************************
### SSH brute-force prevention : 3 connections per 60 seconds

    SSHPORT=22
    iptables -F
    iptables -A INPUT -p tcp --dport ${SSHPORT} -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name BRUTEFORCE -j DROP 
    iptables -A INPUT -p tcp --dport ${SSHPORT} -m state --state NEW -m recent --set --name BRUTEFORCE -j ACCEPT

********************************************************************************
### SSH brute-force prevention : 3 connections per 60 seconds - separate chain

    SSHPORT=22
    iptables -F
    iptables -X
    iptables -N BRUTECHECK
    iptables -A INPUT -p tcp --dport ${SSHPORT} -m state --state NEW -j BRUTECHECK
    iptables -A BRUTECHECK -m recent --update --seconds 60 --hitcount 3 --name BRUTEFORCE -j DROP
    iptables -A BRUTECHECK -m recent --set --name BRUTEFORCE -j ACCEPT

********************************************************************************
### SSH port knocking : tcp/1000 , tcp/2000 

    SSHPORT=22
    N1=1000
    N2=2000
    iptables -F
    iptables -X
    iptables -N KNOCK1
    iptables -N KNOCK2
    iptables -N OK
    
    iptables -A KNOCK1 -m recent --set --name SEENFIRST
    iptables -A KNOCK1 -m recent --remove --name KNOCKED
    iptables -A KNOCK1 -j DROP
    
    iptables -A KNOCK2 -m recent --rcheck --name SEENFIRST --seconds 5 -j OK
    iptables -A KNOCK2 -m recent --remove --name SEENFIRST
    iptables -A KNOCK2 -j DROP
    
    iptables -A OK -m recent --set --name KNOCKED
    iptables -A OK -j DROP
    
    iptables -A INPUT -p tcp --dport ${N1} -j KNOCK1
    iptables -A INPUT -p tcp --dport ${N2} -j KNOCK2
    iptables -A INPUT -p tcp --dport ${SSHPORT} -m state --state NEW -m recent --seconds 10 --rcheck --name KNOCKED -j ACCEPT
    iptables -A INPUT -p tcp --dport ${SSHPORT} -m state --state NEW -j DROP

********************************************************************************
### SSH port knocker script

    #!/bin/bash
    HOST="172.16.20.2"
    SSHPORT=22
    KNOCKS="1000 2000"

    for PORT in $KNOCKS; do
      echo "Knock: $PORT"
      telnet $HOST $PORT &> /dev/null &
      P=$(echo $!)
      echo "PID: ${P}"
      sleep 1
      kill -KILL ${P}
    done
    ssh -p${SSHPORT} ${HOST}

********************************************************************************
_BY: Pejman Moghadam_  
_TAG: ssh, port-knocking, recent, iptables, firewall_  
_DATE: 2011-03-04 22:24:41_