iptables "recent" module - setting module parameters

If you load the module by hand, you just add it to the modprobe command line:

modprobe ipt_recent param1=val1 param2=val2

Otherwise, if it's being loaded automatically, you can create a file in /etc/modprobe.d, say /etc/modprobe.d/ipt_recent, with contents of:

options ipt_recent param1=val1 param2=val2

Which will do the same thing as the modprobe line above.


Warning: Understand that changing this has an impact on the memory usage of the machine as these details are stored in memory and iptables require greater resources to deal with storing larger amounts of data.

Setup the xt_recent configuration file

Create the file /etc/modprobe.d/xt_recent.conf and include a line like this:

options xt_recent ip_list_tot=50 ip_pkt_list_tot=150

Don't forget to add some comments about what you're doing. Future you will thank you.

Prepare to reinitialize xt_recent

Before we remove any rules in your firewall currently using the recent module or simply disable the firewall. You may want to save your rules before you do this with sudo iptables-save > somefile.txt or maybe sudo service iptables save if you distro supports that.

Choose one of these two depending on your situation to clean up. You could also simply restart your computer at this point and skip to adding rules.

To shutdown iptables

sudo service iptables stop

To Remove specific Rules:

  1. Use iptables -L --line-numbers to list the rules and look for "recent:" in the rules.
  2. Use iptables -D INPUT # where # is the line number to delete rules.

Reinitialize xt_recent

Remove the module with sudo modprobe -r xt_recent. Add it back with sudo modprobe xt_recent.

Check to make sure your parameters were applied with sudo cat /sys/module/xt_recent/parameters/ip_pkt_list_tot.

Add the rules that you couldn't

If you stopped iptables sudo service iptables start to bring it back.

Add your rules back in with the higher values you wanted.

Bonus:

sudo watch 'iptables -nvL' will allow you to watch stuff hit the xt_recent rules.


I don't have the reputation to reply to TopQ's answer, but I signed up for an account just to tell people not to do what he suggests. The source code of the module (http://lxr.linux.no/linux+v3.9/net/netfilter/xt_recent.c) has no provision to detect changes to that parameter and no provision to reallocate the kernel buffer responsible for keeping track of recent hits.

Therefore, if you chmod that parameter writable and subsequently change it, subsequent entries to existing recent hit logs will overrun the previously allocated kernel buffers and cause a kernel panic.