Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[solved] detect amount of new outgoing tcp conns per port
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
PostPosted: Sat Jul 30, 2016 10:56 am    Post subject: [solved] detect amount of new outgoing tcp conns per port Reply with quote
I'd like to be informed (but not more often than once per second) if the amount of new outgoing connections to destination port $p per second is greater than 250. The following approaches don't work as expected:
Code:
$IPT -A OUTPUT -p tcp --destination-port $p --syn --match connlimit --connlimit-above 250 --connlimit-mask 32 --match limit --limit 1/second --limit-burst 1 -j LOG --log-prefix "PORTMAX $p "

$IPT -A OUTPUT -p tcp --destination-port $p --match conntrack --ctstate NEW --match connlimit --connlimit-above  250 --connlimit-mask 32 --match limit --limit 1/second --limit-burst 1 -j LOG --log-prefix "PORTMAX $p "

$IPT -A OUTPUT -p tcp --destination-port $p --syn --match state --state NEW --match limit --limit 250/second --match limit --limit  1/second -j LOG --log-prefix "PORTMAX $p "
Any hints ?

Last edited by toralf on Thu Aug 11, 2016 8:49 pm; edited 4 times in total
Back to top
View user's profile Send private message
Syl20
l33t
l33t


Joined: 04 Aug 2005
Posts: 619
Location: France
PostPosted: Mon Aug 01, 2016 12:47 pm    Post subject: Reply with quote
Did you try to split the connlimit filter and the limit one into two distinct rules ?

Code:
$IPT -A OUTPUT -p tcp --destination-port $p --match conntrack --ctstate NEW --match connlimit ! --connlimit-above 250 --connlimit-mask 32 -j ACCEPT # or -j WHATYOUWANT
$IPT -A OUTPUT -p tcp --destination-port $p --match limit --limit 1/second --limit-burst 1 -j LOG --log-prefix "PORTMAX $p "


Note that here, the supplemantary packets will just be logged. You may have to add another rule to accept or to drop them.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
PostPosted: Mon Aug 01, 2016 1:24 pm    Post subject: Reply with quote
Well, I finally got it with one rule :
Code:
$IPT -A OUTPUT -p tcp --destination-port $p --match conntrack --ctstate NEW --match limit --limit 1/second --limit-burst 1 --match connlimit --connlimit-above $max -j LOG --log-prefix "PORTMAX $p "
but is this the most simple solution ?
Update
Seems to be better:
Code:
$IPT -A OUTPUT -p tcp --destination-port $p --match conntrack --ctstate NEW --match connlimit --connlimit-above 250 --connlimit-mask  0 --connlimit-daddr --match limit --limit 1/second --limit-burst 1 -j LOG --log-prefix "PORTMAX $p m2 "
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy