I am baffled here, I have tried the following rules and it does not allow any connection to 110.
Original 110 rule - in iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT replaced with the 2 rules below - from my understand it will allow up to 24 in 1 minute then block on the 25th connection When I put this in, I am unable to connect using an email client, it is blocked. -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP What am I missing, does anyone have any ideas or tips? I am very confused. Code:
# Generated by iptables-save v1.3.5 on Fri May 13 09:31:12 2011 Code:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT No connection to the email client or port 110 I added the rule to the INPUT section, and left the standard line in for 110. I think it may work, I need to do some testing with another server. Does anyone know if I left the standard rule in for port 110 & 25 would I add these to rules to the INPUT in iptables? Code:
-A RH-Firewall-1-INPUT -p tcp --dport 110 -m state --state NEW -m recent --set Any help would be great. Would the original rule for port 110 need to be left in place and the 2 additional rate-limiting rules be place in the INPUT??? |
Off hand, I don't see anything wrong with your rate limit rules. The timing you're using shouldn't cause a problem, in my opinion. I have placed the code that I have successfully used for rate limiting on SSH, perhaps it will help. The only other caveat that I know of is that you can't use the name DEFAULT in more than one "state machine".
Code:
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP |
Quote:
I copied them into the input section below. Basically it would block after 25 hits in a 60 seconds. Like this: Code:
# Generated by iptables-save v1.3.5 on Fri May 13 09:31:12 2011 |
Yes, the rules would go to the input chain. If you still have issues, I would try removing the other rules related to port 110 and see if that impacts anything. One other thing is that I just noticed from your reply that you are using "RH-Firewall-1". While this is apparently a front end for iptables, having not used it, I am not sure it's behavior is the same or if it will conflict with the rules I posted. Basically, YMMV (your mileage may vary).
|
Quote:
Can you add this to the INPUT chain as well? Inside the INPUT chain, so it would cover port 110 and port 25, from the above post about the DEFAULT is it limited to only 1 so you could not have ports 110 and 25 rate-limited. Any help understanding this would be great. -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name DEFAULT --rsource -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --name DEFAULT --rsource -j DROP |
You need to use a different name than DEFAULT for the 2nd rate limiting instance.
One other thing to consider is that most MTA applications already have built in rate throttling. Implementing rate limiting with Iptables may not be necessary, nor the best approach. |
What could you use for the other instance name other than DEFAULT is it specific on conventions?
|
Just so it's clear, the RH-Firewall-1-INPUT is a table created by the Redhat firewall configuration tool. As you can see from his listings above, this table is covering the rules for both the INPUT and FORWARD tables. This may also be causing some issues....but I agree, the mail app may have a better handle on rate limiting than trying to create a rule....I think I'll look that up sometime...
Code:
-A INPUT -j RH-Firewall-1-INPUT |
I can remove the -A FORWARD -j RH-Firewall-1-INPUT
This is the standard convention of RHEL in version 5 across the board. I will give this a try on port 110 do you know how I could name the other rule line other than DEFAULT? |
I implemented the limiting on 110 and it is successful, I changed it to 20 connection in 1 minute.
With all of the other rules in place. |
What other syntax can I use other than DEFAULT for the port 25 line?
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP --------------------------------------------------------------------------------------(Change DEFAULT to to ???) -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name DEFAULT --rsource -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP I changed it to RECENT and it works for the port 25 rules above... :) |
How would I be able to make it log to a separate log file or is it possible?
Any advice/help on this would be great. |
I had to make an exception in the firewall for the spam/firewall appliances, and NAT'd IP's.
I used the existing RHEL/CentOS firewall rules and modified them. If anyone knows how to setup logging in iptables with the new rules (rate-limiting) please let me know. Thanks! |
Quote:
Pretty much you add the word LOG to the actions in addition to drop, ie -j LOG DROP. The link shows how to configure where the logging occurs and how to customize the message. |
Quote:
The biggest battle with rate-limiting the ports was the massive spam appliances MX devices, they hit the server on port 25 constantly due to the thousands of accounts and business email servers. It is the default set of iptables rules with RHEL/CentOS I was using, just had the rules in the wrong location. I will let it 'bake-in' and start the testing on the logging with another server. If anyone is faced with the problem of NAT'd ip(s) and MX spam devices needing exemption from the rate-limiting rules let me know. :) |
All times are GMT -5. The time now is 12:57 AM. |