Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #327

Re: Max number of iptable rules?

From buck <buck@private.mil>
Newsgroups comp.os.linux.networking, comp.os.linux.security, comp.infosystems.www.servers.unix
Subject Re: Max number of iptable rules?
Date 2013-05-25 17:06 +0000
Organization Say What?
Message-ID <knqr1t01nit@news4.newsguy.com> (permalink)
References <mr-E9D8F4.21453924052013@News.Individual.NET> <878v33qyr1.fsf@araminta.anjou.terraraq.org.uk> <mr-9F09EF.10100625052013@News.Individual.NET>

Cross-posted to 3 groups.

Show all headers | View raw

Sandman <mr@sandman.net> wrote in
news:mr-9F09EF.10100625052013@News.Individual.NET: 

> The man page doesn't seem to say. I saw something that suggested
> that it may have maxed out at about 5000 rules, could that be true?

Because I do not understand your DNS, this suggestion may be completely 
inappropriate, but have you considered a "recent" match for your iptables 
firewall?  Something like:

# This only limits the number of NEW connections, sending the remainder 
on
# to the rest of the rules in the chain from which it was called (INPUT).
# This limits each IP.

iptables -N DDoS

# Check /proc/net/ipt_recent to see the content of 'recent' lists.
# --name is the name of the table; use --name when more than one 
'recent' match
#  is used so the table matches the intended use.
# --rcheck checks to see if IP is in list '--name NAME' without updating 
the
#  entry's timestamp (use --update for that).
# --rttl makes sure the ttl for this IP is the same as last time (helps 
prevent
#  IP spoofing).
# --update updates the timestamp in the list.  Cannot use --update and --
rcheck
#  in the same rule.
# If IP is in list ddos then drop connections in excess of 17 per second.
# Tune it if it DROPs too much for your setup.

iptables -A DDoS -m recent --set --name ddos

# Allow if hitcount is less than 18.

iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \
  --hitcount 18 -m limit --limit 12/h --limit-burst 1 -j LOG --log-prefix 
"DDoS "
iptables -A DDoS -m recent --name ddos --update --seconds 1 \
  --hitcount 18 -j DROP
iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \
  --hitcount 1 -j RETURN
iptables -A DDoS -j RETURN

---
# Limit the number of NEW connections.
iptables -A INPUT -i $IFE -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
---

The syntax to change the DROP rule:
iptables -R DDoS 3 -m recent --name ddos --update --seconds # \
   --hitcount ## -j DROP

This way, you don't have 5K rules.
-- 
buck

Back to comp.os.linux.security | Previous | NextPrevious in thread | Find similar

Thread

Max number of iptable rules? Sandman <mr@sandman.net> - 2013-05-24 21:45 +0200
  Re: Max number of iptable rules? Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:56 +0100
    Re: Max number of iptable rules? Sandman <mr@sandman.net> - 2013-05-25 10:10 +0200
      Re: Max number of iptable rules? buck <buck@private.mil> - 2013-05-25 17:06 +0000

csiph-web