Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #317 > unrolled thread
| Started by | Sandman <mr@sandman.net> |
|---|---|
| First post | 2013-05-24 21:45 +0200 |
| Last post | 2013-05-25 17:06 +0000 |
| Articles | 4 — 3 participants |
Back to article view | Back to comp.os.linux.security
Max number of iptable rules? Sandman <mr@sandman.net> - 2013-05-24 21:45 +0200
Re: Max number of iptable rules? Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:56 +0100
Re: Max number of iptable rules? Sandman <mr@sandman.net> - 2013-05-25 10:10 +0200
Re: Max number of iptable rules? buck <buck@private.mil> - 2013-05-25 17:06 +0000
| From | Sandman <mr@sandman.net> |
|---|---|
| Date | 2013-05-24 21:45 +0200 |
| Subject | Max number of iptable rules? |
| Message-ID | <mr-E9D8F4.21453924052013@News.Individual.NET> |
The man page doesn't seem to say. I saw something that suggested that it may have maxed out at about 5000 rules, could that be true? I'm adding them as I find them in the log files, and there are thousands of hosts... -- Sandman[.net]
[toc] | [next] | [standalone]
| From | Richard Kettlewell <rjk@greenend.org.uk> |
|---|---|
| Date | 2013-05-25 08:56 +0100 |
| Message-ID | <878v33qyr1.fsf@araminta.anjou.terraraq.org.uk> |
| In reply to | #317 |
Sandman <mr@sandman.net> writes: > The man page doesn't seem to say. I saw something that suggested that > it may have maxed out at about 5000 rules, could that be true? Don’t know, but a linear search for every packet isn’t going to be very efficient... > I'm adding them as I find them in the log files, and there are > thousands of hosts... You could use an ipset containing all the problem addresses instead of a rule for each address. See ‘man ipset’ and look for ‘ipset’ in ‘man iptables’ for details. (I’ve not tried this myself..) -- http://www.greenend.org.uk/rjk/
[toc] | [prev] | [next] | [standalone]
| From | Sandman <mr@sandman.net> |
|---|---|
| Date | 2013-05-25 10:10 +0200 |
| Message-ID | <mr-9F09EF.10100625052013@News.Individual.NET> |
| In reply to | #322 |
In article <878v33qyr1.fsf@araminta.anjou.terraraq.org.uk>, Richard Kettlewell <rjk@greenend.org.uk> wrote: > > The man page doesn't seem to say. I saw something that suggested that > > it may have maxed out at about 5000 rules, could that be true? > > Don’t know, but a linear search for every packet isn’t going to be very > efficient... Of course not. It's idiotic. But currently, it's the only method I have found that is actually working. :) > > I'm adding them as I find them in the log files, and there are > > thousands of hosts... > > You could use an ipset containing all the problem addresses instead of a > rule for each address. See ‘man ipset’ and look for ‘ipset’ in ‘man > iptables’ for details. (I’ve not tried this myself..) I don't have ipset installed, and it's a kernel module and this is a production server, so I won't be starting to compile kernels on it unless it was my only option. The server is running Linux Debian 6.0.7 with the 2.6.32-5-amd64 kernel. IT's been a long time since I compiled a kernel, and apt-get has ipset and ipset-source, and I've never even compiled an apt-get source package (but I obviously have compiled millions of downloaded source packages). ipset would be a solution for me, it seems, but as it seems, opennet.se may be the culprit here, and my first step (monday) should be to contact them and have them fix their DNS. -- Sandman[.net]
[toc] | [prev] | [next] | [standalone]
| From | buck <buck@private.mil> |
|---|---|
| Date | 2013-05-25 17:06 +0000 |
| Message-ID | <knqr1t01nit@news4.newsguy.com> |
| In reply to | #324 |
Sandman <mr@sandman.net> wrote in news:mr-9F09EF.10100625052013@News.Individual.NET: > The man page doesn't seem to say. I saw something that suggested > that it may have maxed out at about 5000 rules, could that be true? Because I do not understand your DNS, this suggestion may be completely inappropriate, but have you considered a "recent" match for your iptables firewall? Something like: # This only limits the number of NEW connections, sending the remainder on # to the rest of the rules in the chain from which it was called (INPUT). # This limits each IP. iptables -N DDoS # Check /proc/net/ipt_recent to see the content of 'recent' lists. # --name is the name of the table; use --name when more than one 'recent' match # is used so the table matches the intended use. # --rcheck checks to see if IP is in list '--name NAME' without updating the # entry's timestamp (use --update for that). # --rttl makes sure the ttl for this IP is the same as last time (helps prevent # IP spoofing). # --update updates the timestamp in the list. Cannot use --update and -- rcheck # in the same rule. # If IP is in list ddos then drop connections in excess of 17 per second. # Tune it if it DROPs too much for your setup. iptables -A DDoS -m recent --set --name ddos # Allow if hitcount is less than 18. iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \ --hitcount 18 -m limit --limit 12/h --limit-burst 1 -j LOG --log-prefix "DDoS " iptables -A DDoS -m recent --name ddos --update --seconds 1 \ --hitcount 18 -j DROP iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \ --hitcount 1 -j RETURN iptables -A DDoS -j RETURN --- # Limit the number of NEW connections. iptables -A INPUT -i $IFE -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS --- The syntax to change the DROP rule: iptables -R DDoS 3 -m recent --name ddos --update --seconds # \ --hitcount ## -j DROP This way, you don't have 5K rules. -- buck
[toc] | [prev] | [standalone]
Back to top | Article view | comp.os.linux.security
csiph-web