timestamp of the last hit of an iptables rule

Serguei

10/15/23, 3:49 AM

I am looking for a way to get timestamps of iptables rules' last hits for a long-running instance. (I know of the recent module and iptables -vL etc., but they serve a different purpose.) I have spent some time searching now, including here, and most answers and man pages talk about packet/byte counts for each rule, or how to dynamically control IP sets and update the rules based on the count and recency of the source packets and not when a given rule was last hit.

I have an installation where I need to check when certain rules that have non-zero packet counts were last hit and remove them if it was long ago. Is there any way of getting this information out?

0 + 2

iptables

A.B

10/15/23, 9:24 AM

You just dismissed the recent match, while it would probably have been given as a possibility for this. You should describe why you consider it can't be used.

Serguei

10/15/23, 7:41 PM

First, the vast majority of the rules in place don't have it, nor need to use it. Second, if I match on a recent packet and e.g. to temporarily block it for X amount of time due to a scan, and then auto-unblock later, this would not tell me if this rule as a whole was used yesterday or 6 months ago. Unless I am missing something.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: timestamp of the last hit of an iptables rule

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.