Recent module, what is preferred rcheck or update?

From the man page of iptables:

   [!] --rcheck
          Check if the source address of the packet is  currently  in  the
          list.

   [!] --update
          Like  --rcheck,  except it will update the "last seen" timestamp
          if it matches.

So, using update will not reset the hitcount, it will (re)set the last seen timestamp. The following is said about --seconds:

   --seconds seconds
          This  option must be used in conjunction with one of --rcheck or
          --update. When used, this will narrow the match to  only  happen
          when  the  address  is  in the list and was seen within the last
          given number of seconds.

That means using --rcheck makes the rule to match only the time interval scecified in the rule (e.g. with --seconds) at a time, while using --update will extend the time interval the rule is being matched if matching packets are encountered during the interval.

So, if there is a matching packet every 45 secs the example rules shown in the question will keep on logging the packets and returning from the chain. OTOH if --rcheck had been used, every second packet would not be matched (as the 60 sec interval for two matching packets has expired).

Recent module, what is preferred rcheck or update?

Tags:

Ddos

Iptables

Related

Recent Posts