Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables burst rate limiting and packets content
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dulrich
n00b
n00b


Joined: 23 Apr 2005
Posts: 46
PostPosted: Thu Jan 16, 2014 8:11 am    Post subject: iptables burst rate limiting and packets content Reply with quote
Hi,

Today I protect my DHCP and DNS services through iptables with xt_recent :
Code:

iptables -N DNS_BRUT
iptables -A DNS_BRUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m recent --set --name DNS4FM --rsource
iptables -A DNS_BRUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m recent --update --seconds 2 --hitcount 200 --name DNS4FM --rsource -j LOG_BRUT_DROP
iptables -A DNS_BRUT -j ACCEPT

DNS_BRUT is a chain where I redirect all my DNS queries (udp and tcp) from the authorized IPs.
Code:

iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --set --name DHCPFS --rsource
iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --update --seconds 1 --hitcount 50 --name DHCPFS --rsource -j LOG_BRUT_DROP
iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --set --name DHCPFM --rsource
iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --update --seconds 5 --hitcount 100 --name DHCPFM --rsource -j LOG_BRUT_DROP


About 100'000 hosts do queries on theses services and these rules are quite limitating. Sometimes, some servers or DHCP relay are legitimate to do more than X queries per second depending of what happen on the network (electricity outage, mail bombing, …).

A better way to do it, instead of limiting by source_ip only, would be to inspect inside the DHCP and DNS packets and limiting the rate per second of queries :
DNS : source_ip,query_type,query_name so for example (123.45.67.89,A,www.google.ch)
DHCP : CHADDR(client hardware address) so for example (aa:bb:cc:dd:ee:ff) -> because relay mask the real source

CHADDR, query_type, query_name are all data in the application layer.

Is there a way to do it with iptables ? If not, what kind of firewall can do it ?
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310
PostPosted: Tue Jan 21, 2014 8:54 pm    Post subject: Re: iptables burst rate limiting and packets content Reply with quote
dulrich wrote:
Sometimes, some servers or DHCP relay are legitimate to do more than X queries per second

Make a more *relaxed* iptables filter chain, especially for them ;)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy