iptables firewall

aidylewis · 06-23-2017, 02:34 AM

I am trying to limit TCP connections to 10 through an iptables firewall block.

sudo iptables -A OUTPUT -p tcp --syn --dport 80 -m connlimit --connlimit-upto 10 -j ACCEPT

I am running socket statistics but the TCP goes well over 10. What I am doing wrong?

Many Thanks

Aidy

astrogeek · 06-23-2017, 02:56 AM

OUTPUT? Is that really what you intend?

What are the default policies for the intended chain? What rules appear ahead of this one?

The effect of any single iptables rule can not be understood in isolation. A better description of what you are actually trying to accomplish, and a more complete description of your rules would be necessary for anyone to provide an answer.

If not overly long, posting the output of iptables -L -n would be a good place to start.

aidylewis · 06-23-2017, 03:06 AM

Dear Sir/Madam

I am using a Golang load test tool called Vegeta
https://github.com/tsenart/vegeta

We have millions of users who connect to our sites but only several back-end services. This is why I would like to limit the TCP connections in order to create one realistic (back-end) test.

Code:

echo "GET http://open.stage.bbc.co.uk/loadtest/2kb" | vegeta attack -duration=20m -rate=1000 | tee results.bin | vegeta report

Code:

[ec2-user@ip-xxx-xx-xx-xxx ~]$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 flags:0x17/0x02 #conn src/32 <= 10

Many Thanks

Aidy

astrogeek · 06-23-2017, 03:24 AM

Please place your code snippets inside [CODE]...[/CODE] tags for better readability. You may type those yourself or click the "#" button in the edit controls.

Your description does not provide any useful information. Please see the Site FAQ, inparticular this page and the links in it for help in asking a better question.

The tools and your traffic patterns are not relevant to the question. Are you trying to limit incoming connections to your server, or outgoing connections to remote HTTP servers?

The rules you have posted will allow all incoming and outgoing traffic, nothing will be limited.

The INPUT chain ACCEPTS everything.
The OUTPUT chain ACCEPTS anything which matches your single rule, as well as anything which does not match it.

If you are not familiar with iptables usage, this Iptables How To may be a good place to start. You may also find many other resources online.

astrogeek · 06-23-2017, 03:51 AM

Thanks for editing your post to add code tags.

Very basically, the way iptables rules work is this:

1. Each packet is tested by each rule beginning at top of a chain (INPUT, OUTPUT, etc.). If it matches the rule it is handled by the target of that rule, ACCEPT, REJECT, DROP, another chain...
2. If it does not match a rule, it continues to the next rule, but first match determines the packet's fate.
3. If it reaches the end of the chain without matching any rule, its fate is determined by the default policy.

In your case, the default policy of the OUTPUT chain is ACCEPT, and your single rule's targe tis also ACCEPT. Hence, if it matches it is accepted, and if it does not match it is accepted.

The minimum you would need to do to enforce the rule would be to set the default policy to DROP. That way packets matching your rule would be accepted, all others would be dropped.

aidylewis · 06-23-2017, 03:51 AM

# Distro RHEL 7.3

> Are you trying to limit incoming connections to your server, or outgoing connections to remote HTTP servers?

I am trying to limit outgoing connections to remote HTTP servers

Code:

# allow 15 telnet connections per client host
iptables -A OUPUT -p  tcp  --syn  --dport  80  -m connlimit --connlimit-above 15 -j REJECT

Code:

$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 flags:0x17/0x02 #conn src/32 > 15 reject-with icmp-port-unreachable

astrogeek · 06-23-2017, 04:07 AM

We must have posted at the same time... see post above your last...

Using REJECT with a default policy of ACCEPT would work as well.

Selecting a default policy is very important (and the place to start). But drop-everything plus accept-what-you-want-rules is almost always the better approach.

aidylewis · 06-23-2017, 05:44 AM

# doesn't go above 10 conns

Code:

sudo iptables -A OUTPUT -p tcp --syn --dport 80  -m connlimit --connlimit-above 10 -j REJECT

RPS at 5000 per second will keep connection rate at 10.

Code:

echo "GET http://open.stage.bbc.co.uk/loadtest/2kb" | vegeta attack -duration=20m -rate=5000 | tee results.bin | vegeta report

Thanks for help

Aidy

lazydog · 06-23-2017, 01:34 PM

Below will allow 10 connections to HTTP and 10 connections to HTTPS.

Since this is your network you must change --connlimit-mask 24 to match your network mask

Code:

iptables -A OUTPUT -p tcp -m tcp -m multiport --port 80,433 -m conntrack --ctstate NEW -j WEB
iptables -N WEB
iptables -A WEB -p tcp --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
iptables -A WEB -p tcp --dport 443 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
iptables -A WEB -p tcp -j ACCEPT

aidylewis · 06-27-2017, 08:37 AM

Even with a high RPS rate, my solution is not working.

Flushing iptables, then

Code:

iptables -A OUPUT -p  tcp  --syn  --dport  80  -m connlimit --connlimit-above 15 -j REJECT

I am on EC2 RHEL 7.3 and the keyword 'WEB' (last suggestion) does not seemed to be recognised.

using *ss -s* to view TCP conns

aidylewis · 06-27-2017, 08:51 AM

Socket stats may be showing me the connections but they might not be getting out.

Packets are certainly dropping

Code:

Chain OUTPUT (policy ACCEPT 3554K packets, 321M bytes)
 pkts bytes target     prot opt in     out     source               destination
3028K  182M REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 flags:0x17/0x02 #conn src/32 > 10 reject-with icmp-port-unreachable

Not sure whether 10 connections are being used or not.

Many Thanks

Aidy

aidylewis · 06-27-2017, 08:54 AM

Established in ss -s seems constant. I think it is right.