Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
After a LOT of studying iptables, one thing I'm not quite certain about is suitable limit rates for SYN, LOG & ping flood prevention. I suppose it depends a bit on traffic, as well as bandwidth. However, I don't want to limit the former. FWIW, I expect about as much traffic as a country road in the middle of nowhere, and my bandwidth for requests is 15 Mbps (Don't laugh. Content delivery is a pathetic 2 Mbps. That's a residential cable connection for ya...)
Of all the tutorials/examples, I chose to go with Rusty Russel's limits, though they're dated 2002. Thus an excerpt of my firewall "script":
Code:
#!/bin/sh
# Saved in /etc/init.d, runlevels 2 3 4 5
# Set default (OPEN) chain policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
... <- ESTABLISHED,RELATED :)
# Prevent NEW packets without SYN set
iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 1/s -j LOG --log-prefix "iptables: NEW not SYN "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Prevent SYN floods
iptables -N normal
iptables -A INPUT -p tcp --syn -m state --state NEW -m limit --limit 1/s -j normal
# Allow inbound session requests
iptables -A normal -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A normal -p tcp --dport 443 -m state --state NEW -j ACCEPT
...
# Allow helpful ICMP messages
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -m limit --limit 1/s -j ACCEPT
...
# Log everything else inbound before DROP default
iptables -A INPUT -m limit --limit 1/s -j --log-prefix "iptables: DROP "
exit 0
Thoughts? I will say that it really puts the brakes on Nmap. I am a bit concerned, though, that someone from Canada keeps sniffing my ports, eh.
Last edited by DJRcomputing; 07-02-2011 at 06:12 AM.
Reason: Clarification of missing code bits. :)
It would all depend on what you feel comfortable with. I do think that your limiting SYN connection to 1 a second is really low. Most browsers today try and open a number of connection to speed up the downloading of the web pages. Firefox I believe tries to open 16 by default.
Also I see you are using the NEW tag but are not using the ESTABLISHED,RELATED tags. Might want to place them at the top of your chains.
I do think that your limiting SYN connection to 1 a second is really low. Most browsers today try and open a number of connection to speed up the downloading of the web pages. Firefox I believe tries to open 16 by default.
I appreciate your insight, as that's the type of thing I wondered about. It also raises one of my confusions: limit vs. burst, ie: --limit 16/s (default --limit-burst 5) vs --limit 5/s --limit-burst 16, at least given a rate in seconds?
Quote:
Originally Posted by lazydog
Also I see you are using the NEW tag but are not using the ESTABLISHED,RELATED tags. Might want to place them at the top of your chains.
Guess I should've also included those in my excerpt, which I did in the interest of a shorter post. If one wishes to see my entire "script" (in quotes again because it's nothing fancy, but it does the job), I've attached it. Thanks for your concern, though.
Last edited by DJRcomputing; 06-26-2011 at 11:44 PM.
Maybe this SITE will help you understand limits and burst.
As it mostly reitterates Rusty Russel, not really. However it did show me how to do a proper iptables init.d script, which I really appreciate knowing. I decided to finally tackled Oskar Andreasson's mind-numbing tutorial, which offers a different way of explaining limits. Apparently I have a bucket. LOL!
Otherwise, I came across an insightful thread elsewhere which brought up a valid point: self-inflicted DoS. Set the SYN limit too low, and one denies service before one's resources are even depleted. That tread also turned me onto SYN cookies (mmm...cookies). Via a link from an article about such, I came across Wesley Eddy's article which mentions another option: SYN cache. As I later discovered, though, it's a FreeBSD-only option.
In the end, I'm going to drop SYN limit. Even though DoS attacks are caused by SYN floods, and iptables can limit SYN, it doesn't seem to be a very good way of preventing DoS. Regardless, I've learned a LOT about DoS mitigation, which will hopefully be valuable in the future. Thanks for your help.
Last edited by DJRcomputing; 07-07-2011 at 05:32 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
iptables: appropriate limits?
That's a residential cable connection for ya...)
If one wishes to see my entire "script" (in quotes again because it's nothing fancy, but it does the job), I've attached it. Thanks for your concern, though.
