LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPTables (connLimit vs hashlimit) (http://www.linuxquestions.org/questions/linux-security-4/iptables-connlimit-vs-hashlimit-857816/)

nanogoo 01-21-2011 11:13 AM

IPTables (connLimit vs hashlimit)
 
Hi,

I am new to IPTables.

Is it fair to say that connLimit and hashlimit are very similiar on Linux i.e. while hashlimit caters to limits for groups of ports, they both set the connection rate limit per host?

How in IPTables, do I configure a policy that limits connections on a port that encapsulates the total sum of all connections from all hosts? i.e. I do not want to allow more than 6000conn/minute for port range that is the sum of all connecting hosts?

Appreciate any feedback,
Thanks,
Nano...

xeleema 01-21-2011 12:15 PM

Greetingz!

I'm not entirely sure what you're asking....perchance you've done this before using a different filter/firewall product?
If so, could you cite some examples in whatever you're familiar with?

Also, if you've attempted a few things thusfar, could you post what you have, and what does/doesn't work?

Thanks!

nanogoo 01-21-2011 06:12 PM

So a typical example for hashlimit might look like this:

-A INPUT -p tcp -i eth0 --dport 5060:5062 -m hashlimit --hashlimit 1000/second
--hashlimit-burst 1000 --hashlimit-mode srcip,srcport --hashlimit-name "rate limit 5060-5062"

This rule would rate limit on the port range 5060-62 at 1000 connections per second *per host*

How do I specify that I want 1000/sec total for the port range i.e. no matter how many hosts, no more than 1000/second connections?

Is it achieved by changing hashlimit-mode to dstport only i.e. regardless of srcip we only want 1000/second?

Thanks,
Nano...

tva 01-24-2011 04:51 AM

From http://linux.die.net/man/8/iptables

hashlimit

This patch adds a new match called 'hashlimit'. The idea is to have something like 'limit', but either per destination-ip or per (destip,destport) tuple.

It gives you the ability to express
'1000 packets per second for every host in 192.168.0.0/16'

'100 packets per second for every service of 192.168.1.1'
with a single iptables rule.
--hashlimit rate
A rate just like the limit match
--hashlimit-burst num
Burst value, just like limit match
--hashlimit-mode destip | destip-destport
Limit per IP or per port
--hashlimit-name foo
The name for the /proc/net/ipt_hashlimit/foo entry
--hashlimit-htable-size num
The number of buckets of the hash table
--hashlimit-htable-max num
Maximum entries in the hash
--hashlimit-htable-expire num
After how many miliseconds do hash entries expire
--hashlimit-htable-gcinterval num
How many miliseconds between garbage collection intervals

So I think changing hashlimit-mode works, not entirely sure thou


All times are GMT -5. The time now is 06:18 AM.