LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-28-2016, 11:12 AM   #1
WiseDraco
Member
 
Registered: Nov 2006
Location: Europe,Latvia,Riga
Distribution: slackware,slax, OS X, exMandriva
Posts: 591

Rep: Reputation: 73
Question iptables with -m limit works very strange....? and "!" not work...???


hello!
I try to limit possibility to intense scan my host, and from DoS attacks by adding
that rule of beginning of my old rc.firewall script:

### limit connections - DoS prevent
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j DROP

immediately after i rerun my rc.firewall with this lines added, i got all traffic blocked on my server, and can revert that only, when i come home at evening, and get monitor and keyboard attached to server...

but, ok - i do not understand -iptables rules work, if all who is defined in it, is true....?

in example, that rules must work and drop packets only when set limit is over, not?
and when limit not over, there must not be "DROP" action, as i understand.

but really i prove, is vice versa - statement is worked, if set not over.
that's bad, because i need it work as trigger, who drop specific traffic, if it becomes too often.

i try use "!" - inverse mark before "-limit", but then iptables "say", i cant use inverse before --limit.

i try use inverse before -j DROP, but again - iptables says, i cant.

someone can explain me, why iptables in this case works so "wrong", and what way i can get, who i want?

thanks in advance, and sorry for my bad english.....
 
Old 12-28-2016, 11:22 AM   #2
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 509

Rep: Reputation: 203Reputation: 203Reputation: 203
Hi there,

I think you're misunderstanding how the limit module works. From the iptables-extensions man page: "A rule using this extension will match until this limit is reached".

To fix your rule, change it from DROP to ACCEPT. It will accept connections until the limit is reached, after which it will no longer match, and therefore no longer accept packets.

Regards,

Clifford
 
Old 12-28-2016, 11:31 AM   #3
WiseDraco
Member
 
Registered: Nov 2006
Location: Europe,Latvia,Riga
Distribution: slackware,slax, OS X, exMandriva
Posts: 591

Original Poster
Rep: Reputation: 73
Quote:
Originally Posted by cliffordw View Post
Hi there,

I think you're misunderstanding how the limit module works. From the iptables-extensions man page: "A rule using this extension will match until this limit is reached".

To fix your rule, change it from DROP to ACCEPT. It will accept connections until the limit is reached, after which it will no longer match, and therefore no longer accept packets.

Regards,

Clifford
as i understand how iptables work ( maybe wrongly?), it has flow traffic throught rules from beginning, until something match. first rule, who match, give out that traffic from further flow throught rules, not?

in example:

i have

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -s !8.8.8.8/24 -j DROP



then in that case, there no work my second rule who allow only "c" class subnet of 8.8.8 network to my 80 port?

in case of --limit not match - all 80 port traffic is accepted, and not reach second rule,
in case when limit is reached, it reach second rule...? :-O

i am wrong in my asumption?
 
Old 12-28-2016, 12:47 PM   #4
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 509

Rep: Reputation: 203Reputation: 203Reputation: 203
Yes, that's correct.
 
Old 12-28-2016, 12:58 PM   #5
WiseDraco
Member
 
Registered: Nov 2006
Location: Europe,Latvia,Riga
Distribution: slackware,slax, OS X, exMandriva
Posts: 591

Original Poster
Rep: Reputation: 73
Quote:
Originally Posted by cliffordw View Post
Yes, that's correct.

aha
but i need very-simple detector - safety switch, who i have to put in head of my iptables chain, to shut off all traffic on defined ports, if connections per minute or something like that, exceed definition.
otherwise i be very happy to traffic pass to can trap my branched rules based on source ip, ports, protocols and so on.

if i change "drop" to "accept", then i broke all my other rules for that traffic, who is not a way....

there i some "right use" of that, beforementioned rules, who allow to block all traffic, who meets conditions , instead of allow it?
 
Old 12-28-2016, 01:02 PM   #6
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 509

Rep: Reputation: 203Reputation: 203Reputation: 203
Try this:

Code:
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j DROP
iptables -A INPUT -p TCP --dport 80 -s !8.8.8.8/24 -j DROP
The first rule will allow incoming traffic to port 80 until the limit is reached, and once the limit is exceeded, the second rule will drop that traffic.
 
Old 12-28-2016, 01:26 PM   #7
WiseDraco
Member
 
Registered: Nov 2006
Location: Europe,Latvia,Riga
Distribution: slackware,slax, OS X, exMandriva
Posts: 591

Original Poster
Rep: Reputation: 73
Quote:
Originally Posted by cliffordw View Post
Try this:

Code:
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j DROP
iptables -A INPUT -p TCP --dport 80 -s !8.8.8.8/24 -j DROP
The first rule will allow incoming traffic to port 80 until the limit is reached, and once the limit is exceeded, the second rule will drop that traffic.
that was just simple example.

really i have, say, port 22 ( ssh), on what i have about 5 different rules - enable connect via ssh only from defined adresses / networks.
in the same time i may benefit from possibility to close possibility to brute-force on port 22 if something gone broken, say, attacker get one of adresses, who is in whitelist for ssh in my iptables.

yes, theoretically i can operate via state new vs state established, but thats, say in ssh case, looks not secure, and not good, and also not nice from overall view...

very surprised - so much elementar, basic thing in ip filtering, and not realised in iptables?
with all its ten of years of development, and milions of users? :-O
 
Old 12-28-2016, 01:40 PM   #8
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,759

Rep: Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206
You can do it with a user-defined chain.
Code:
:Limit50
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j Limit50
iptables -A Limit50 -m limit --limit 50/minute --limit-burst 200 -j RETURN
iptables -A Limit50 -j DROP
The "Limit50" chain will simply RETURN to the calling chain until the limit is reached, then it will fall through to the DROP rule.

The way it's set up here, there are no qualifiers in that "-m limit" rule, so anything that calls the Limit50 chain shares the same counter. By including qualifiers in that rule, you could group several independent limiters in that same chain.
 
1 members found this post helpful.
Old 12-28-2016, 02:13 PM   #9
WiseDraco
Member
 
Registered: Nov 2006
Location: Europe,Latvia,Riga
Distribution: slackware,slax, OS X, exMandriva
Posts: 591

Original Poster
Rep: Reputation: 73
Wink

Quote:
Originally Posted by rknichols View Post
You can do it with a user-defined chain.
Code:
:Limit50
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j Limit50
iptables -A Limit50 -m limit --limit 50/minute --limit-burst 200 -j RETURN
iptables -A Limit50 -j DROP
The "Limit50" chain will simply RETURN to the calling chain until the limit is reached, then it will fall through to the DROP rule.

The way it's set up here, there are no qualifiers in that "-m limit" rule, so anything that calls the Limit50 chain shares the same counter. By including qualifiers in that rule, you could group several independent limiters in that same chain.
yes, thank you.
i must add iptables -N Limit50 , but otherwise, looks, this construction works as you described - i do not get "over" condition yet, but in any case i see counter on my
"allow 80 dport" rule , who sit below all this, increase, in contrary of previously experiments.

Thank you very much!
yet i continue thinking, that thing may be realised simpler on developer side...
 
Old 12-28-2016, 02:29 PM   #10
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,759

Rep: Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206
You could also do it by negating the limit match.
Code:
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit ! --limit 50/minute --limit-burst 200 -j DROP
                                                                  ^
That rule will match (and DROP) packets that have broken the limit. I find that syntax confusing. It also doesn't allow aggregating several events into the same counter.

Last edited by rknichols; 12-28-2016 at 02:30 PM.
 
Old 12-28-2016, 02:36 PM   #11
WiseDraco
Member
 
Registered: Nov 2006
Location: Europe,Latvia,Riga
Distribution: slackware,slax, OS X, exMandriva
Posts: 591

Original Poster
Rep: Reputation: 73
Quote:
Originally Posted by rknichols View Post
You could also do it by negating the limit match.
Code:
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit ! --limit 50/minute --limit-burst 200 -j DROP
                                                                  ^
That rule will match (and DROP) packets that have broken the limit. I find that syntax confusing. It also doesn't allow aggregating several events into the same counter.
syntax is more or less ok for me, but that not work. in my first message there i wrote -iptables do not allow negating before --limit, neither before -j DROP:

Starting Firewall & NAT
iptables v1.4.14: limit: option "--limit" cannot be inverted.

Try `iptables -h' or 'iptables --help' for more information.
 
Old 12-28-2016, 04:17 PM   #12
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
I greatly prefer hashlimit over limit
In limit, once the "limit" is reached, ALL requests are affected. That includes the person doing the DOS, you and any other legitimate users. I discovered this after having it on a server and getting DOSed, the whole server wasn't responding to the 80 port.

In hashlimit, you're allowed to specify an extra bit of info like the source ip.

Code:
iptables -A INPUT -p tcp -m hashlimit --hashlimit-name HTTP --hashlimit-mode srcip --hashlimit 1/s--hashlimit-burst 50 -j ACCEPT
 
Old 12-29-2016, 03:29 PM   #13
WiseDraco
Member
 
Registered: Nov 2006
Location: Europe,Latvia,Riga
Distribution: slackware,slax, OS X, exMandriva
Posts: 591

Original Poster
Rep: Reputation: 73
Quote:
Originally Posted by Sefyir View Post
I greatly prefer hashlimit over limit
In limit, once the "limit" is reached, ALL requests are affected. That includes the person doing the DOS, you and any other legitimate users. I discovered this after having it on a server and getting DOSed, the whole server wasn't responding to the 80 port.

In hashlimit, you're allowed to specify an extra bit of info like the source ip.

Code:
iptables -A INPUT -p tcp -m hashlimit --hashlimit-name HTTP --hashlimit-mode srcip --hashlimit 1/s--hashlimit-burst 50 -j ACCEPT
yes, thank you too!
construction like

Code:
#:SMTP15
$IPTABLES -I INPUT -m hashlimit -m tcp -p tcp --dport 25 --hashlimit-above 15/min  --hashlimit-burst 70 --hashlimit-mode srcip --hashlimit-name smtp15 -m state --state NEW -j LOG --log-level 7 --log-prefix '#SPAMmers SMTP15 hash  iNet #'
$IPTABLES -I INPUT -m hashlimit -m tcp -p tcp --dport 25 --hashlimit-above 15/min  --hashlimit-burst 70 --hashlimit-mode srcip --hashlimit-name smtp15 -m state --state NEW -j DROP
work well.

construction like :
Code:
$IPTABLES -I INPUT -p tcp --dport 80 -m state --state NEW \
-m connlimit --connlimit-above 10 -j REJECT --reject-with icmp-admin-prohibited

$IPTABLES -I INPUT -p tcp --dport 80 -m state --state NEW \
-m connlimit --connlimit-above 10 -j LOG --log-level 7 --log-prefix '!!HACKERS HTTP connlimit !!'
works too, but bit stranger, and bit more different...
 
  


Reply

Tags
dos, iptables, limit


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables limit per IP per minute - "No chain/target/match by that name" no_root_no_cry Linux - Networking 3 12-25-2013 04:06 PM
evdev/xorg help? USB mouse/kbd: 2.6.24="just works">2.6.25="unplug/replug to work". GrapefruiTgirl Linux - Hardware 4 12-13-2012 03:23 PM
"-m limit --limit-burst 20" with my Netfilter doesn't work probably hdinn Linux - Networking 1 08-20-2009 08:49 AM
eth0 strange behaviour - reports "disabled" but works with some functions. Keithj Linux - Networking 1 08-29-2008 06:14 PM
adsl+iptables+port forward+"-m tcp" strange problem icry0000 Linux - Networking 3 07-31-2005 10:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration