LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables/ipset configuration with hashlimit/limit not behaving properly (https://www.linuxquestions.org/questions/linux-security-4/iptables-ipset-configuration-with-hashlimit-limit-not-behaving-properly-4175497114/)

freeindy 03-05-2014 07:55 AM
iptables/ipset configuration with hashlimit/limit not behaving properly
 
Hi,

I'm trying to set up a firewall and having some unwanted behaviour.

I have two machines setup in VirtualBox:
M1 with ip 192.168.0.1
M2 with ip 192.168.0.2

I have ipset sets setup as following in M1:
Code:
# IP & Ports blacklist                                                           
MAX_ELEMS=1024
HASH_SIZE=65535
ipset create bipp hash:ip,port maxelem $MAX_ELEMS hashsize $HASH_SIZE timeout 120

# IP & Port Whitelist                                                             
MAX_ELEMS=1024
HASH_SIZE=65535
ipset create wipp hash:ip,port maxelem $MAX_ELEMS hashsize $HASH_SIZE timeout 120
And in my iptables rules (also in M1 of coursse) I have set the following:
Code:
# UDP chain
iptables -N gen:non_tcp

# Max allowed throughput for known source                     
iptables -A gen:non_tcp -p udp \
                            -m set --match-set wipp src,dst \
                            -m limit --limit 25/sec --limit-burst 5 \
                            -j SET --add-set bipp src,dst
To test this, I add M2's ip that is the source of the packages sender as:
Code:
ipset add wipp 192.168.0.2,udp:53 (I checked for port number by sending it earlier)
Now when I send one UDP package from M2 using scapy, the M1's ip gets injected in bipp set straight. I was expecting it do only if I send 25 or more but this does not seem to be the case. I also tried the module hashlimit with the same effect. Am I missing something?

iptables version:1.4.14
ipset version: 6.12.1

Any help would be appreciated.
Regards,
Indyh

freeindy 03-06-2014 06:29 AM
Found my own answer. For anyone who's interested:

In rule:
Code:
iptables -A gen:non_tcp -p udp \
                            -m set --match-set wipp src,dst \
                            -m limit --limit 25/sec --limit-burst 5 \
                            -j SET --add-set bipp src,dst
The module 'limit' resonse to true if it's within the limit which made the jump to SET module. I thought it would jump IF it was beyond given limits. Hence, the following change makes it do as I wanted it to do:
Code:
ip6tables -A gen:non_tcp -p udp \
                            -m set --match-set wipp src,dst \
                            -m hashlimit --hashlimit 25/sec --hashlimit-burst 5 --hashlimit-name $HASH_NAME
                            -j RETURN

ip6tables -A gen:non_tcp -p udp -j SET --add-set bipp src,dst


All times are GMT -5. The time now is 08:03 PM.