[SOLVED] I want to filter udp packets by amount and source

GhostTyper · Last edited by GhostTyper on Sat Sep 29, 2018 3:36 am; edited 1 time in total

My firewall currently consists of a gentoo Linux box using iptables as a router in front of my servers. Those servers are connected with 1 GbE to the internet.

Some of the services I host are software like TeamSpeak or dns servers, which read udp packets. Currently, if one of those services is under a udp flood with small udp packets I will just ignore this, because those services can read most of those packets producing 100% cpu load on one core.

I will upgrade my internet connection to 10 GbE. This means, I can't allow udp floods on those services, because they just won't be able to eat all those packets and still respond in acceptable timeframes to valid packets.

I'm already limiting connections to tcp based services by source with -m connlimit and I would also have limited udp packets/sec or something like that if there were (at least I don't know of one) iptables modules which could do so.

I thought of programming software myself for this task. For instance, I could write software using libpcap and then count udp packets per source. However, I don't think this software could run fast enough to keep up with about 15 MPps. I could try to use tricks (one process with strict filters for one service, etc.) but this feels quite dirty and unmanageable. Additionally, libpcap would see packets still, if they are dropped by iptables. I also don't think I'm able to write a production ready iptables module myself in time, though.

So, the question is: Is there some already existing module, I'm just not aware of doing this task? Maybe nftables has a solution? Maybe a 3rd party module?

I would also consider paying such a module, because if there is no such solution, I will need to buy some hardware firewall appliance, costing me at least 10k €/$ if it's laid out in a redundant way.

ct85711 · Veteran Joined: 27 Sep 2005 Posts: 1791

Doing a quick search you may want to look at the hashlimit module for iptables. It contains some options to specifically specify the about of traffic/unit of time (either size or # of connections).

This site has some information on modules to control the amount of traffic.
https://www.mad-hacking.net/documentation/linux/security/iptables/rate-limiting.xml

Additional reading:
https://serverfault.com/questions/682045/source-ip-rate-limiting-in-iptables-hashlimit-vs-recent
http://tlfabian.blogspot.com/2014/06/how-does-iptables-hashlimit-module-work.html
http://poorlydocumented.com/2017/08/understanding-iptables-hashlimit-module/

GhostTyper · Posted: Thu Sep 27, 2018 4:31 am Post subject:

Sometimes it's that easy. Thank you. My apologies.