LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-13-2011, 02:37 PM   #1
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23

I am baffled here, I have tried the following rules and it does not allow any connection to 110.

Original 110 rule - in iptables

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

replaced with the 2 rules below - from my understand it will allow up to 24 in 1 minute then block on the 25th connection

When I put this in, I am unable to connect using an email client, it is blocked.

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP

What am I missing, does anyone have any ideas or tips?

I am very confused.

Code:
# Generated by iptables-save v1.3.5 on Fri May 13 09:31:12 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [101:15023]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -s 19x.9.1x.xx -d 19x.9x.8x.28 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Fri May 13 09:31:12 2011
# Generated by iptables-save v1.3.5 on Fri May 13 09:31:12 2011
*nat
:PREROUTING ACCEPT [2:112]
:POSTROUTING ACCEPT [2:167]
:OUTPUT ACCEPT [2:167]
COMMIT
I added in:

Code:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP
removed line:
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

No connection to the email client or port 110

I added the rule to the INPUT section, and left the standard line in for 110.

I think it may work, I need to do some testing with another server.

Does anyone know if I left the standard rule in for port 110 & 25 would I add these to rules to the INPUT in iptables?

Code:
-A RH-Firewall-1-INPUT -p tcp --dport 110 -m state --state NEW -m recent --set
-A RH-Firewall-1-INPUT -p tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 -j DROP
Has anyone ever worked with rate-limiting on ports to prevent denial of service attacks?


Any help would be great.

Would the original rule for port 110 need to be left in place and the 2 additional rate-limiting rules be place in the INPUT???

Last edited by unSpawn; 05-17-2011 at 09:42 AM. Reason: //Merge posts, no reason for 4 separate ones, added BB code..
 
Old 05-16-2011, 04:13 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Off hand, I don't see anything wrong with your rate limit rules. The timing you're using shouldn't cause a problem, in my opinion. I have placed the code that I have successfully used for rate limiting on SSH, perhaps it will help. The only other caveat that I know of is that you can't use the name DEFAULT in more than one "state machine".

Code:
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
Old 05-16-2011, 08:19 PM   #3
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
Quote:
Originally Posted by Noway2 View Post
Off hand, I don't see anything wrong with your rate limit rules. The timing you're using shouldn't cause a problem, in my opinion. I have placed the code that I have successfully used for rate limiting on SSH, perhaps it will help. The only other caveat that I know of is that you can't use the name DEFAULT in more than one "state machine".

Code:
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
So these rules go in the INPUT section of iptables correct?

I copied them into the input section below.

Basically it would block after 25 hits in a 60 seconds.



Like this:
Code:
# Generated by iptables-save v1.3.5 on Fri May 13 09:31:12 2011
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 110 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 -j DROP
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [101:15023]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -s 19x.9.1x.xx -d 19x.9x.8x.28 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Fri May 13 09:31:12 2011
# Generated by iptables-save v1.3.5 on Fri May 13 09:31:12 2011
*nat
:PREROUTING ACCEPT [2:112]
:POSTROUTING ACCEPT [2:167]
:OUTPUT ACCEPT [2:167]
COMMIT

Last edited by unSpawn; 05-17-2011 at 09:45 AM. Reason: // BB code
 
Old 05-17-2011, 04:17 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Yes, the rules would go to the input chain. If you still have issues, I would try removing the other rules related to port 110 and see if that impacts anything. One other thing is that I just noticed from your reply that you are using "RH-Firewall-1". While this is apparently a front end for iptables, having not used it, I am not sure it's behavior is the same or if it will conflict with the rules I posted. Basically, YMMV (your mileage may vary).
 
Old 05-17-2011, 07:22 AM   #5
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
Quote:
Originally Posted by Noway2 View Post
Yes, the rules would go to the input chain. If you still have issues, I would try removing the other rules related to port 110 and see if that impacts anything. One other thing is that I just noticed from your reply that you are using "RH-Firewall-1". While this is apparently a front end for iptables, having not used it, I am not sure it's behavior is the same or if it will conflict with the rules I posted. Basically, YMMV (your mileage may vary).
I will add them to the INPUT chain.

Can you add this to the INPUT chain as well?

Inside the INPUT chain, so it would cover port 110 and port 25, from the above post about the DEFAULT is it limited to only 1 so you could not have ports 110 and 25 rate-limited. Any help understanding this would be great.

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP

Last edited by rhbegin; 05-17-2011 at 07:23 AM.
 
Old 05-17-2011, 07:58 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
You need to use a different name than DEFAULT for the 2nd rate limiting instance.

One other thing to consider is that most MTA applications already have built in rate throttling. Implementing rate limiting with Iptables may not be necessary, nor the best approach.
 
Old 05-17-2011, 08:17 AM   #7
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
What could you use for the other instance name other than DEFAULT is it specific on conventions?
 
Old 05-17-2011, 09:26 AM   #8
glennt11
LQ Newbie
 
Registered: Aug 2004
Location: NY
Distribution: Ubuntu,Red Hat,Centos 5
Posts: 29

Rep: Reputation: 0
Just so it's clear, the RH-Firewall-1-INPUT is a table created by the Redhat firewall configuration tool. As you can see from his listings above, this table is covering the rules for both the INPUT and FORWARD tables. This may also be causing some issues....but I agree, the mail app may have a better handle on rate limiting than trying to create a rule....I think I'll look that up sometime...


Code:
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -j RH-Firewall-1-INPUT
 
Old 05-17-2011, 10:00 AM   #9
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
I can remove the -A FORWARD -j RH-Firewall-1-INPUT

This is the standard convention of RHEL in version 5 across the board.

I will give this a try on port 110 do you know how I could name the other rule line other than DEFAULT?
 
Old 05-17-2011, 11:43 AM   #10
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
I implemented the limiting on 110 and it is successful, I changed it to 20 connection in 1 minute.

With all of the other rules in place.
 
Old 05-17-2011, 01:03 PM   #11
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
What other syntax can I use other than DEFAULT for the port 25 line?

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP

--------------------------------------------------------------------------------------(Change DEFAULT to to ???)
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP

I changed it to RECENT and it works for the port 25 rules above...


Last edited by rhbegin; 05-17-2011 at 02:08 PM.
 
Old 05-17-2011, 01:55 PM   #12
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
How would I be able to make it log to a separate log file or is it possible?


Any advice/help on this would be great.
 
Old 05-17-2011, 07:26 PM   #13
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
I had to make an exception in the firewall for the spam/firewall appliances, and NAT'd IP's.


I used the existing RHEL/CentOS firewall rules and modified them.

If anyone knows how to setup logging in iptables with the new rules (rate-limiting) please let me know.

Thanks!
 
Old 05-18-2011, 04:33 AM   #14
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
if anyone knows how to setup logging in iptables with the new rules (rate-limiting) please let me know.
This link might be of help: http://www.cyberciti.biz/tips/force-...-log-file.html

Pretty much you add the word LOG to the actions in addition to drop, ie -j LOG DROP. The link shows how to configure where the logging occurs and how to customize the message.
 
Old 05-18-2011, 10:02 AM   #15
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
Quote:
Originally Posted by Noway2 View Post
This link might be of help: http://www.cyberciti.biz/tips/force-...-log-file.html

Pretty much you add the word LOG to the actions in addition to drop, ie -j LOG DROP. The link shows how to configure where the logging occurs and how to customize the message.
I will check this out, thanks for all of the help!

The biggest battle with rate-limiting the ports was the massive spam appliances MX devices, they hit the server on port 25 constantly due to the thousands of accounts and business email servers.

It is the default set of iptables rules with RHEL/CentOS I was using, just had the rules in the wrong location.

I will let it 'bake-in' and start the testing on the logging with another server.

If anyone is faced with the problem of NAT'd ip(s) and MX spam devices needing exemption from the rate-limiting rules let me know.


Last edited by rhbegin; 05-18-2011 at 10:03 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables rate limiting for Ddos AsadMoeen Linux - Server 5 03-07-2011 11:57 PM
iptables rate limiting for bridged connection (kvm created bridge) tkmsr Linux - Networking 1 10-28-2010 07:50 AM
Outgoing rate limiting with iptables problem. goofyheadedpunk Linux - Networking 10 03-01-2009 06:34 PM
How can I block all traffic to port 110 to and IP using IPtables? abefroman Linux - Networking 8 11-16-2005 07:26 PM
Rate limiting with Iptables on port 21 rino2003 Linux - Networking 1 12-26-2004 06:34 PM


All times are GMT -5. The time now is 08:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration