Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.os.linux.security > #317 > unrolled thread

Max number of iptable rules?

Started bySandman <mr@sandman.net>
First post2013-05-24 21:45 +0200
Last post2013-05-25 17:06 +0000
Articles 4 — 3 participants

Back to article view | Back to comp.os.linux.security


Contents

  Max number of iptable rules? Sandman <mr@sandman.net> - 2013-05-24 21:45 +0200
    Re: Max number of iptable rules? Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:56 +0100
      Re: Max number of iptable rules? Sandman <mr@sandman.net> - 2013-05-25 10:10 +0200
        Re: Max number of iptable rules? buck <buck@private.mil> - 2013-05-25 17:06 +0000

#317 — Max number of iptable rules?

FromSandman <mr@sandman.net>
Date2013-05-24 21:45 +0200
SubjectMax number of iptable rules?
Message-ID<mr-E9D8F4.21453924052013@News.Individual.NET>
The man page doesn't seem to say. I saw something that suggested that 
it may have maxed out at about 5000 rules, could that be true?

I'm adding them as I find them in the log files, and there are 
thousands of hosts... 

-- 
Sandman[.net]

[toc] | [next] | [standalone]


#322

FromRichard Kettlewell <rjk@greenend.org.uk>
Date2013-05-25 08:56 +0100
Message-ID<878v33qyr1.fsf@araminta.anjou.terraraq.org.uk>
In reply to#317
Sandman <mr@sandman.net> writes:
> The man page doesn't seem to say. I saw something that suggested that
> it may have maxed out at about 5000 rules, could that be true?

Don’t know, but a linear search for every packet isn’t going to be very
efficient...

> I'm adding them as I find them in the log files, and there are 
> thousands of hosts... 

You could use an ipset containing all the problem addresses instead of a
rule for each address.  See ‘man ipset’ and look for ‘ipset’ in ‘man
iptables’ for details.  (I’ve not tried this myself..)

-- 
http://www.greenend.org.uk/rjk/

[toc] | [prev] | [next] | [standalone]


#324

FromSandman <mr@sandman.net>
Date2013-05-25 10:10 +0200
Message-ID<mr-9F09EF.10100625052013@News.Individual.NET>
In reply to#322
In article <878v33qyr1.fsf@araminta.anjou.terraraq.org.uk>,
 Richard Kettlewell <rjk@greenend.org.uk> wrote:

> > The man page doesn't seem to say. I saw something that suggested that
> > it may have maxed out at about 5000 rules, could that be true?
> 
> Don’t know, but a linear search for every packet isn’t going to be very
> efficient...

Of course not. It's idiotic. But currently, it's the only method I 
have found that is actually working. :)

> > I'm adding them as I find them in the log files, and there are 
> > thousands of hosts... 
> 
> You could use an ipset containing all the problem addresses instead of a
> rule for each address.  See ‘man ipset’ and look for ‘ipset’ in ‘man
> iptables’ for details.  (I’ve not tried this myself..)

I don't have ipset installed, and it's a kernel module and this is a 
production server, so I won't be starting to compile kernels on it 
unless it was my only option.

The server is running Linux Debian 6.0.7 with the 2.6.32-5-amd64 
kernel.

IT's been a long time since I compiled a kernel, and apt-get has ipset 
and ipset-source, and I've never even compiled an apt-get source 
package (but I obviously have compiled millions of downloaded source 
packages).

ipset would be a solution for me, it seems, but as it seems, 
opennet.se may be the culprit here, and my first step (monday) should 
be to contact them and have them fix their DNS. 



-- 
Sandman[.net]

[toc] | [prev] | [next] | [standalone]


#327

Frombuck <buck@private.mil>
Date2013-05-25 17:06 +0000
Message-ID<knqr1t01nit@news4.newsguy.com>
In reply to#324
Sandman <mr@sandman.net> wrote in
news:mr-9F09EF.10100625052013@News.Individual.NET: 

> The man page doesn't seem to say. I saw something that suggested
> that it may have maxed out at about 5000 rules, could that be true?

Because I do not understand your DNS, this suggestion may be completely 
inappropriate, but have you considered a "recent" match for your iptables 
firewall?  Something like:

# This only limits the number of NEW connections, sending the remainder 
on
# to the rest of the rules in the chain from which it was called (INPUT).
# This limits each IP.

iptables -N DDoS

# Check /proc/net/ipt_recent to see the content of 'recent' lists.
# --name is the name of the table; use --name when more than one 
'recent' match
#  is used so the table matches the intended use.
# --rcheck checks to see if IP is in list '--name NAME' without updating 
the
#  entry's timestamp (use --update for that).
# --rttl makes sure the ttl for this IP is the same as last time (helps 
prevent
#  IP spoofing).
# --update updates the timestamp in the list.  Cannot use --update and --
rcheck
#  in the same rule.
# If IP is in list ddos then drop connections in excess of 17 per second.
# Tune it if it DROPs too much for your setup.

iptables -A DDoS -m recent --set --name ddos

# Allow if hitcount is less than 18.

iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \
  --hitcount 18 -m limit --limit 12/h --limit-burst 1 -j LOG --log-prefix 
"DDoS "
iptables -A DDoS -m recent --name ddos --update --seconds 1 \
  --hitcount 18 -j DROP
iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \
  --hitcount 1 -j RETURN
iptables -A DDoS -j RETURN

---
# Limit the number of NEW connections.
iptables -A INPUT -i $IFE -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
---

The syntax to change the DROP rule:
iptables -R DDoS 3 -m recent --name ddos --update --seconds # \
   --hitcount ## -j DROP

This way, you don't have 5K rules.
-- 
buck

[toc] | [prev] | [standalone]


Back to top | Article view | comp.os.linux.security


csiph-web