View previous topic :: View next topic |
Author |
Message |
dulrich n00b
Joined: 23 Apr 2005 Posts: 46
|
Posted: Thu Jan 16, 2014 8:11 am Post subject: iptables burst rate limiting and packets content |
|
|
Hi,
Today I protect my DHCP and DNS services through iptables with xt_recent :
Code: |
iptables -N DNS_BRUT
iptables -A DNS_BRUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m recent --set --name DNS4FM --rsource
iptables -A DNS_BRUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m recent --update --seconds 2 --hitcount 200 --name DNS4FM --rsource -j LOG_BRUT_DROP
iptables -A DNS_BRUT -j ACCEPT
|
DNS_BRUT is a chain where I redirect all my DNS queries (udp and tcp) from the authorized IPs.
Code: |
iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --set --name DHCPFS --rsource
iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --update --seconds 1 --hitcount 50 --name DHCPFS --rsource -j LOG_BRUT_DROP
iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --set --name DHCPFM --rsource
iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --update --seconds 5 --hitcount 100 --name DHCPFM --rsource -j LOG_BRUT_DROP
|
About 100'000 hosts do queries on theses services and these rules are quite limitating. Sometimes, some servers or DHCP relay are legitimate to do more than X queries per second depending of what happen on the network (electricity outage, mail bombing, …).
A better way to do it, instead of limiting by source_ip only, would be to inspect inside the DHCP and DNS packets and limiting the rate per second of queries :
DNS : source_ip,query_type,query_name so for example (123.45.67.89,A,www.google.ch)
DHCP : CHADDR(client hardware address) so for example (aa:bb:cc:dd:ee:ff) -> because relay mask the real source
CHADDR, query_type, query_name are all data in the application layer.
Is there a way to do it with iptables ? If not, what kind of firewall can do it ? |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Tue Jan 21, 2014 8:54 pm Post subject: Re: iptables burst rate limiting and packets content |
|
|
dulrich wrote: | Sometimes, some servers or DHCP relay are legitimate to do more than X queries per second |
Make a more *relaxed* iptables filter chain, especially for them |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|