Quote:
Originally Posted by mithoviel
Thanks for moving the thread to the appropriate forum.
|
Haven't done that yet.
Quote:
Originally Posted by mithoviel
The thought occurred to me that this is a gray area in between security and software
|
It really isn't as there is no security issue with Netfilter itself. Then again it's easy to get taxonomy wrong.
Quote:
Originally Posted by mithoviel
We have noticed that it happens when the firewall_drop.sh adds a lot of rules at once.
|
Try this: I cut down the script to the bare essentials as you don't run this on Solaris or AIX, I moved the log to /var/log/ and I added a timeout between adding rules:
Code:
#!/bin/sh
# Adds an IP to the iptables drop list (if linux)
# Requirements: Linux with iptables
# Expect: srcip
# Author: Ahmet Ozturk (ipfilter and IPSec)
# Author: Daniel B. Cid (iptables)
# Last modified: Jan 26, 2011
ECHO="/bin/echo"; IPTABLES="/sbin/iptables"
ARG1=""; ARG2=""; RULEID=""; ACTION=$1; USER=$2; IP=$3; SLEEP="3s"
[ -x $ECHO ] || exit 1
[ -x $IPTABLES ] || { echo "Missing ${IPTABLES}, exiting."; exit 1; }
echo "`date` $0 $1 $2 $3 $4 $5" >> /var/log/active-responses.log
[ ${#IP} -eq 0 ] && { echo "$0: <action> <username> <ip>"; exit 1; }
[ "x${ACTION}" = "xadd" -o "x${ACTION}" = "xdelete" ] || { echo "$0: invalid action: ${ACTION}"; exit 1; }
[ "x${ACTION}" = "xadd" ] && VAR="I" || VAR="D"
${IPTABLES} -${VAR} INPUT -s ${IP} -j DROP;
sleep $SLEEP
${IPTABLES} -${VAR} FORWARD -s ${IP} -j DROP
sleep $SLEEP
exit 0
If with this timeout there's no errors try going from 3 seconds to 2 and maybe to 1.
* I don't like the script design (or lack of) as it just adds rules to your filter table INPUT chain which can become a
performance drain as every packet not matched in a previous rule will have to traverse all rules until a match is found. Also because it adds rules
to the end of your filter table INPUT chain a packet may exit on a prior rule match (say based solely on state and port) and thus never hit that rule. I would be much more in favor of using
ipset [
0|
1] in the raw table PREROUTING chain (for loading a gazillion rules see
HIPAC). It seems ELRepo has kmod-ipset and ipset-utils RPMS but in the "Testing" repo so best try that out on a workstation and not move it to production until you've tested it well: YMMV(VM).