syn flood protection - inside initiated attacks

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Perhaps someone will help me on this :-

I have read a lot of examples of syn flood protect on the INPUT chain.
That I have no question at all.

I wonder if it make sense to perform syn flood protection
at the FORWARD chain ? If packets are originated from a
LAN worm, and are not targetted at the firewall itself, but 
rather at hosts in the internet, will it cause problem with
the firewall itself, such as iptables connection table full etc ?

I tried to do it, to be specific, I tried this :-

         iptables -N lan-syn-flood
         iptables -A lan-syn-flood -m limit --limit 1/s --limit-burst 4  -j RETURN
         iptables -A lan-syn-flood -j DROP

Hook it to FORWARD chain, 

         iptables -I FORWARD -p tcp --syn -j lan-syn-flood

But this will result in denial of service of a lot of "legitimate" traffic.
I try to increate the limits to bigger values it still does not work,
primarily my firewall is also doubling as a router across subnet
and there are a lot of traffic.

Any advise or comments ?





_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux