LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-21-2011, 11:13 AM   #1
nanogoo
LQ Newbie
 
Registered: Jan 2011
Posts: 2

Rep: Reputation: 0
IPTables (connLimit vs hashlimit)


Hi,

I am new to IPTables.

Is it fair to say that connLimit and hashlimit are very similiar on Linux i.e. while hashlimit caters to limits for groups of ports, they both set the connection rate limit per host?

How in IPTables, do I configure a policy that limits connections on a port that encapsulates the total sum of all connections from all hosts? i.e. I do not want to allow more than 6000conn/minute for port range that is the sum of all connecting hosts?

Appreciate any feedback,
Thanks,
Nano...
 
Old 01-21-2011, 12:15 PM   #2
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 248Reputation: 248Reputation: 248
Greetingz!

I'm not entirely sure what you're asking....perchance you've done this before using a different filter/firewall product?
If so, could you cite some examples in whatever you're familiar with?

Also, if you've attempted a few things thusfar, could you post what you have, and what does/doesn't work?

Thanks!
 
Old 01-21-2011, 06:12 PM   #3
nanogoo
LQ Newbie
 
Registered: Jan 2011
Posts: 2

Original Poster
Rep: Reputation: 0
So a typical example for hashlimit might look like this:

-A INPUT -p tcp -i eth0 --dport 5060:5062 -m hashlimit --hashlimit 1000/second
--hashlimit-burst 1000 --hashlimit-mode srcip,srcport --hashlimit-name "rate limit 5060-5062"

This rule would rate limit on the port range 5060-62 at 1000 connections per second *per host*

How do I specify that I want 1000/sec total for the port range i.e. no matter how many hosts, no more than 1000/second connections?

Is it achieved by changing hashlimit-mode to dstport only i.e. regardless of srcip we only want 1000/second?

Thanks,
Nano...
 
Old 01-24-2011, 04:51 AM   #4
tva
Member
 
Registered: Jul 2010
Location: Finland
Distribution: Open SUSE 11.x
Posts: 70

Rep: Reputation: 6
From http://linux.die.net/man/8/iptables

hashlimit

This patch adds a new match called 'hashlimit'. The idea is to have something like 'limit', but either per destination-ip or per (destip,destport) tuple.

It gives you the ability to express
'1000 packets per second for every host in 192.168.0.0/16'

'100 packets per second for every service of 192.168.1.1'
with a single iptables rule.
--hashlimit rate
A rate just like the limit match
--hashlimit-burst num
Burst value, just like limit match
--hashlimit-mode destip | destip-destport
Limit per IP or per port
--hashlimit-name foo
The name for the /proc/net/ipt_hashlimit/foo entry
--hashlimit-htable-size num
The number of buckets of the hash table
--hashlimit-htable-max num
Maximum entries in the hash
--hashlimit-htable-expire num
After how many miliseconds do hash entries expire
--hashlimit-htable-gcinterval num
How many miliseconds between garbage collection intervals

So I think changing hashlimit-mode works, not entirely sure thou
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables - connlimit doesnt work dlugasx Linux - Server 1 12-30-2010 03:12 AM
Netfilter hashlimit match not working in 2.6.36.2? Third of Five Linux - Networking 0 12-10-2010 04:21 PM
Centos 5.0 x86_64: need help adding connlimit module to iptables thanhlong Linux - Enterprise 4 07-14-2008 03:14 AM
ip6tables and connlimit? Tux-Slack Slackware 0 12-05-2007 02:41 PM
connlimit? NightSoul Linux - Software 1 06-21-2006 12:31 AM


All times are GMT -5. The time now is 07:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration