We currently do a type of Layer 7 filtering where all packets matching our u32 rule gets redirected to another port that caches information, this happens on our firewall (running Ubuntu with IPtables) before it hits our windows machines.
An example of one of these rules looks like this:
Code:
iptables -A PREROUTING -t nat -d ~dstip~/32 -p udp -m udp --dport ~dstport~ -m u32 --u32 "0x0>>0x16&0x3c@0x8=0xffffffff&&0x0>>0x16&0x3c@0xc=0x54536f75&&0x0>>0x16&0x3c@0x10=0x72636520&&0x0>>0x16&0x3c@0x14=0x456e6769&&0x0>>0x16&0x3c@0x18=0x6e652051&&0x0>>0x16&0x3c@0x1c=0x75657279" -j REDIRECT --to-ports ~redirectport~
This all works great, instead of the packets reaching our windows server and bogging it down from medium sized attacks our caching program will respond to them.
However, I want ALL packets matching that rule to get passed. Currently, only new packets hitting our server will get redirected, IP's and Ports that have already hit our firewall will pass right through.
I found a fix for this, and it was to set both of these to 0:
Code:
sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout_stream=0
sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout=0
This worked great and redirected everything, but even on a small attack <50Mbps IPTables just stops working and drops everything. My Caching program isn't the bottleneck and everything else seems to be working fine.
Any ideas?
edit:
I previously also found some information on it here:
http://serverfault.com/questions/741.../741108#741108
What makes this more odd, is that without the two settings above, we were seeing 300-400Mbps floods that were perfectly being cached by our program without issue as all NEW (spoofed) packets were being redirected anyway.
No luck yet however.