LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-05-2014, 07:55 AM   #1
freeindy
Member
 
Registered: Nov 2002
Posts: 207

Rep: Reputation: 32
Question iptables/ipset configuration with hashlimit/limit not behaving properly


Hi,

I'm trying to set up a firewall and having some unwanted behaviour.

I have two machines setup in VirtualBox:
M1 with ip 192.168.0.1
M2 with ip 192.168.0.2

I have ipset sets setup as following in M1:
Code:
# IP & Ports blacklist                                                            
MAX_ELEMS=1024
HASH_SIZE=65535
ipset create bipp hash:ip,port maxelem $MAX_ELEMS hashsize $HASH_SIZE timeout 120

# IP & Port Whitelist                                                              
MAX_ELEMS=1024
HASH_SIZE=65535
ipset create wipp hash:ip,port maxelem $MAX_ELEMS hashsize $HASH_SIZE timeout 120
And in my iptables rules (also in M1 of coursse) I have set the following:
Code:
# UDP chain
iptables -N gen:non_tcp

# Max allowed throughput for known source                       
iptables -A gen:non_tcp -p udp \
                            -m set --match-set wipp src,dst \
                            -m limit --limit 25/sec --limit-burst 5 \
                            -j SET --add-set bipp src,dst
To test this, I add M2's ip that is the source of the packages sender as:
Code:
ipset add wipp 192.168.0.2,udp:53 (I checked for port number by sending it earlier)
Now when I send one UDP package from M2 using scapy, the M1's ip gets injected in bipp set straight. I was expecting it do only if I send 25 or more but this does not seem to be the case. I also tried the module hashlimit with the same effect. Am I missing something?

iptables version:1.4.14
ipset version: 6.12.1

Any help would be appreciated.
Regards,
Indyh

Last edited by freeindy; 03-06-2014 at 05:05 AM. Reason: tool is scapy, not pcapy. sorry for that
 
Old 03-06-2014, 06:29 AM   #2
freeindy
Member
 
Registered: Nov 2002
Posts: 207

Original Poster
Rep: Reputation: 32
Found my own answer. For anyone who's interested:

In rule:
Code:
iptables -A gen:non_tcp -p udp \
                            -m set --match-set wipp src,dst \
                            -m limit --limit 25/sec --limit-burst 5 \
                            -j SET --add-set bipp src,dst
The module 'limit' resonse to true if it's within the limit which made the jump to SET module. I thought it would jump IF it was beyond given limits. Hence, the following change makes it do as I wanted it to do:
Code:
ip6tables -A gen:non_tcp -p udp \
                            -m set --match-set wipp src,dst \
                            -m hashlimit --hashlimit 25/sec --hashlimit-burst 5 --hashlimit-name $HASH_NAME
                            -j RETURN

ip6tables -A gen:non_tcp -p udp -j SET --add-set bipp src,dst

Last edited by freeindy; 03-06-2014 at 06:30 AM.
 
1 members found this post helpful.
  


Reply

Tags
hashlimit, ipset, iptables, limit


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ipset and iptables - recompile iptables? Habitual Linux - Server 2 02-19-2014 08:12 AM
iptables / ipset, redirect a set to another host/ip? i5050net Linux - Networking 1 09-16-2013 01:06 PM
[SOLVED] NetworkManager isn't behaving properly in normal user, but works well in root user. MarkZar Linux - Networking 1 02-16-2013 11:32 PM
IPTables (connLimit vs hashlimit) nanogoo Linux - Security 3 01-24-2011 04:51 AM
IPTABLES firewall behaving odd kumaaran Linux - Security 1 03-02-2010 06:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration