LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Rate limiting port 110 & 25 iptables (http://www.linuxquestions.org/questions/linux-security-4/rate-limiting-port-110-and-25-iptables-880589/)

rhbegin 05-13-2011 03:37 PM

I am baffled here, I have tried the following rules and it does not allow any connection to 110.

Original 110 rule - in iptables

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

replaced with the 2 rules below - from my understand it will allow up to 24 in 1 minute then block on the 25th connection

When I put this in, I am unable to connect using an email client, it is blocked.

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP

What am I missing, does anyone have any ideas or tips?

I am very confused.

Code:

# Generated by iptables-save v1.3.5 on Fri May 13 09:31:12 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [101:15023]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s 19x.9.1x.xx -d 19x.9x.8x.28 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri May 13 09:31:12 2011
# Generated by iptables-save v1.3.5 on Fri May 13 09:31:12 2011
*nat
:PREROUTING ACCEPT [2:112]
:POSTROUTING ACCEPT [2:167]
:OUTPUT ACCEPT [2:167]
COMMIT

I added in:

Code:

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP

removed line:
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

No connection to the email client or port 110

I added the rule to the INPUT section, and left the standard line in for 110.

I think it may work, I need to do some testing with another server.

Does anyone know if I left the standard rule in for port 110 & 25 would I add these to rules to the INPUT in iptables?

Code:

-A RH-Firewall-1-INPUT -p tcp --dport 110 -m state --state NEW -m recent --set
-A RH-Firewall-1-INPUT -p tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 -j DROP

Has anyone ever worked with rate-limiting on ports to prevent denial of service attacks?


Any help would be great.

Would the original rule for port 110 need to be left in place and the 2 additional rate-limiting rules be place in the INPUT???

Noway2 05-16-2011 05:13 PM

Off hand, I don't see anything wrong with your rate limit rules. The timing you're using shouldn't cause a problem, in my opinion. I have placed the code that I have successfully used for rate limiting on SSH, perhaps it will help. The only other caveat that I know of is that you can't use the name DEFAULT in more than one "state machine".

Code:

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


rhbegin 05-16-2011 09:19 PM

Quote:

Originally Posted by Noway2 (Post 4358184)
Off hand, I don't see anything wrong with your rate limit rules. The timing you're using shouldn't cause a problem, in my opinion. I have placed the code that I have successfully used for rate limiting on SSH, perhaps it will help. The only other caveat that I know of is that you can't use the name DEFAULT in more than one "state machine".

Code:

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


So these rules go in the INPUT section of iptables correct?

I copied them into the input section below.

Basically it would block after 25 hits in a 60 seconds.



Like this:
Code:

# Generated by iptables-save v1.3.5 on Fri May 13 09:31:12 2011
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 110 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 -j DROP
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [101:15023]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s 19x.9.1x.xx -d 19x.9x.8x.28 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri May 13 09:31:12 2011
# Generated by iptables-save v1.3.5 on Fri May 13 09:31:12 2011
*nat
:PREROUTING ACCEPT [2:112]
:POSTROUTING ACCEPT [2:167]
:OUTPUT ACCEPT [2:167]
COMMIT


Noway2 05-17-2011 05:17 AM

Yes, the rules would go to the input chain. If you still have issues, I would try removing the other rules related to port 110 and see if that impacts anything. One other thing is that I just noticed from your reply that you are using "RH-Firewall-1". While this is apparently a front end for iptables, having not used it, I am not sure it's behavior is the same or if it will conflict with the rules I posted. Basically, YMMV (your mileage may vary).

rhbegin 05-17-2011 08:22 AM

Quote:

Originally Posted by Noway2 (Post 4358613)
Yes, the rules would go to the input chain. If you still have issues, I would try removing the other rules related to port 110 and see if that impacts anything. One other thing is that I just noticed from your reply that you are using "RH-Firewall-1". While this is apparently a front end for iptables, having not used it, I am not sure it's behavior is the same or if it will conflict with the rules I posted. Basically, YMMV (your mileage may vary).

I will add them to the INPUT chain.

Can you add this to the INPUT chain as well?

Inside the INPUT chain, so it would cover port 110 and port 25, from the above post about the DEFAULT is it limited to only 1 so you could not have ports 110 and 25 rate-limited. Any help understanding this would be great.

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP

Noway2 05-17-2011 08:58 AM

You need to use a different name than DEFAULT for the 2nd rate limiting instance.

One other thing to consider is that most MTA applications already have built in rate throttling. Implementing rate limiting with Iptables may not be necessary, nor the best approach.

rhbegin 05-17-2011 09:17 AM

What could you use for the other instance name other than DEFAULT is it specific on conventions?

glennt11 05-17-2011 10:26 AM

Just so it's clear, the RH-Firewall-1-INPUT is a table created by the Redhat firewall configuration tool. As you can see from his listings above, this table is covering the rules for both the INPUT and FORWARD tables. This may also be causing some issues....but I agree, the mail app may have a better handle on rate limiting than trying to create a rule....I think I'll look that up sometime...


Code:

-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT


rhbegin 05-17-2011 11:00 AM

I can remove the -A FORWARD -j RH-Firewall-1-INPUT

This is the standard convention of RHEL in version 5 across the board.

I will give this a try on port 110 do you know how I could name the other rule line other than DEFAULT?

rhbegin 05-17-2011 12:43 PM

I implemented the limiting on 110 and it is successful, I changed it to 20 connection in 1 minute.

With all of the other rules in place.

rhbegin 05-17-2011 02:03 PM

What other syntax can I use other than DEFAULT for the port 25 line?

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP

--------------------------------------------------------------------------------------(Change DEFAULT to to ???)
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP

I changed it to RECENT and it works for the port 25 rules above...

:)

rhbegin 05-17-2011 02:55 PM

How would I be able to make it log to a separate log file or is it possible?


Any advice/help on this would be great.

rhbegin 05-17-2011 08:26 PM

I had to make an exception in the firewall for the spam/firewall appliances, and NAT'd IP's.


I used the existing RHEL/CentOS firewall rules and modified them.

If anyone knows how to setup logging in iptables with the new rules (rate-limiting) please let me know.

Thanks!

Noway2 05-18-2011 05:33 AM

Quote:

if anyone knows how to setup logging in iptables with the new rules (rate-limiting) please let me know.
This link might be of help: http://www.cyberciti.biz/tips/force-...-log-file.html

Pretty much you add the word LOG to the actions in addition to drop, ie -j LOG DROP. The link shows how to configure where the logging occurs and how to customize the message.

rhbegin 05-18-2011 11:02 AM

Quote:

Originally Posted by Noway2 (Post 4359695)
This link might be of help: http://www.cyberciti.biz/tips/force-...-log-file.html

Pretty much you add the word LOG to the actions in addition to drop, ie -j LOG DROP. The link shows how to configure where the logging occurs and how to customize the message.

I will check this out, thanks for all of the help!

The biggest battle with rate-limiting the ports was the massive spam appliances MX devices, they hit the server on port 25 constantly due to the thousands of accounts and business email servers.

It is the default set of iptables rules with RHEL/CentOS I was using, just had the rules in the wrong location.

I will let it 'bake-in' and start the testing on the logging with another server.

If anyone is faced with the problem of NAT'd ip(s) and MX spam devices needing exemption from the rate-limiting rules let me know.

:)


All times are GMT -5. The time now is 09:43 AM.