shorthairedp
join:2005-11-21
united state
| firewall rule question
So, from another thread:
iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
is the a term for all ports instead of tcp port 22 (or whatever the individual port is)
I wish I knew the syntax for iptables, is there a good cheaters quick reference anyone is aware of? |
|
shorthairedp
join:2005-11-21
united state
3 edits | I found one:
»https://www.opensource.com/docs/manuals/···ons.html
iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state ESTABLISHED -m recent --set
iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
by rights, this will drop all new connections whenever there are more than 20 active in a minute? is this correct?
now, if I set queue instead of drop, and theyre running P2P how much will queue before the router flips out? should I add another rule setting the queue to a certain level then drops?
iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state ESTABLISHED -m recent --set
iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j QUEUE
iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state QUEUE -m recent --set
iptables -A INPUT -p all --dport 0:65535 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 50 -j DROP
For reference, Im looking at custom abuser rules, not overall system rules
Or am I just WAY off base here? |
|
dr mongolia
join:2008-07-03
United State
 ·Cox HSI
| reply to shorthairedp
The "-A" just means "add to this chain", which in that case is the INPUT chain. So the filter would be applied to packets arriving on interface eth1 (due to the -i flag).
It looks like you're trying to limit P2P? If so, use the connlimit module, it's very effective:
iptables -I FORWARD -i br0 -p tcp --syn --dport 1: -m connlimit --connlimit-above 200 -j REJECT
iptables -I FORWARD -i br0 -p tcp --syn --dport 1024: -m connlimit --connlimit-above 7 -j REJECT
iptables -I FORWARD -i br0 -p udp --dport 1: -m connlimit --connlimit-above 200 -j REJECT
iptables -I FORWARD -i br0 -p udp --dport 1024: -m connlimit --connlimit-above 7 -j REJECT
Assuming you had a bridged interface br0 where client traffic was coming in on, this would allow 200 connections total per user for TCP and another 200 for UDP (lines #1 and #3). It also places a limit of 7 TCP and UDP connections per user on ports 1024 and above (lines #2 and #4).
The example you posted would add the user to a queue after only 20 new packets of any type were spotted in 1 minute. So the user would likely get queued after a single web page since they've got a few connections to the server, dns packets, etc. Using hitcount is usually best for preventing abusive activity targeted at a single host, or a single port -- portscans, brute force attacks, etc.
I had difficulty in finding a good iptables tutorial-type resource, so I just learned by looking at a bunch of examples, I think it's the easiest way. I'm falling asleep but I'll look reread this in the morning to see if i wasn't making much sense. |
|
hattmardy
Premium
join:2007-01-23
Atlanta, GA
| reply to shorthairedp
said by shorthairedp  :So, from another thread: iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP is the a term for all ports instead of tcp port 22 (or whatever the individual port is) To do this in particular (this rule for everything not on dport 22), you can specify an inverse rule like this:
iptables -A INPUT -p tcp --dport ! 22 -i eth1 -m state --state NEW -m recent --set
note the !. Basically this says, match where dport does not equal 22 |
|
