Remove those entries from iptables recent list which are not there in an ipset

Question

I am using iptables recent match for my work as it saves ip addresses and there last seen value which I require. But now I need to remove some entries from the iptables recent list and those entries are there in an ipset. Can anyone tell me is it possible or not? And if yes then how can I do it? Thanks.

Answer 1

You can remove within iptables rules with:

... -m recent --remove ...

e.g. to remove entries with less then 5 packets / hour:

-A TEST -m recent --rcheck --seconds 3600 --hitcount 5 --rsource -j RETURN
-A TEST -m recent --remove

The first rule matches source ips with >= 5 pkts/hour and leaves TEST chain via RETURN target. The second rule removes not matched / not filtered packets ( with rate below 5 pkts/hour) from default recent list.

You can remove from userland with:

echo -addr >/proc/net/xt_recent/DEFAULT
          to remove addr from the DEFAULT list
echo / >/proc/net/xt_recent/DEFAULT
          to flush the DEFAULT list (remove all entries).

e.g. to remove ip 192.168.4.7 from default recent list:

echo -192.168.4.7 >/proc/net/xt_recent/DEFAULT

see also:

• man iptables-extensions(8) (search for recent)
• http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.16