How to Check The Hit Count for Each Rule in Iptables

How can I check the hit count for each rule in iptables?

iptables will list packet and byte counters if you specify option -v for verbose, e.g. iptables -vL. Likewise iptables-save will list all entries including the mentioned counters for each chain, but not for each table entry (on some systems iptables-save requires option -c to include counters).

What does this IPTable (update, seconds, hitcount) rule do? (debian)

From https://linux.die.net/man/8/iptables:

[!] --rcheck
Check if the source address of the packet is currently in the list.
[!] --update
Like --rcheck, except it will update the "last seen" timestamp if it matches.
[!] --remove
Check if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true. If the address is not found, false is returned.
[!] --seconds seconds
This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds.
[!] --hitcount hits
This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with --seconds to create an even narrower match requiring a certain number of hits within a specific time frame.

I'd say it's per source IP address, and they will be dropped as long as there have been more than 49 hits in the last 3 seconds from that source IP address.

Run a system command when an IPTables rule is matched

Here is how you do it:


iptables -I FORWARD -p tcp --dport 80 -d a.b.c.d -j LOG --log-prefix="TRIGGER ME NOW !!!"



tail -f some-logfile | awk '/some-pattern/ {system("run-some-command")}'


Should be straight forward enough and should be able to deal with lots of traffic, the tail command should be quick enough... Just make sure the file doesn't grow too much.

iptables -j vs. -g parameters

When a matched rule in a current chain specifies the target RETURN, or when the end of the current chain is reached, processing continues in the previous chain that jumped to the current chain, traversing it from the next rule that was still not processed, i.e. the rule below the one that actually specified the current chain as its target and triggered the jump to the current chain.

However if the jump to the current chain was done via -g (rather than via -j), processing would not continue in that previous chain, but rather in the chain before that, assuming the jump there was done with -j. If that is also not the case (i.e. even there -g was used), then the chain before that would be taken into account, and so on. In other words, the most recent chain that actually specified the next chain with -j, rather than with -g would be processed next.

If no such chain is found (i.e. all chains up to and including the built-in chain specified -g), or the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the built-in chain policy determines the fate of the packet.

---

Related Topics