Anyone know how to properly filter packet floods using iptables w/ nat? >From my point of view 2.4.x:ish connection tracking seems to be quite a bit more vulnerable to packet flooding than the 2.2.x:ish IP Masquerading used to be (when using default configuration that is). First we try to make both input & output flood-filtered: iptables -t nat -I PREROUTING -j floodprot iptables -t nat -I OUTPUT -j floodprot For example the following rule seems to match no packets: iptables -t nat -A floodprot -p tcp --tcp-flags ALL NONE -j DROP (According to the documentation --tcp-flags ALL NONE should match the so-called "Null scan", aka nmap -sN) The following rules seem to rate-limit ping & traceroute properly: iptables -t nat -A floodprot -p icmp --icmp-type echo-request -m limit \ --limit 4/s ! -f -j RETURN iptables -t nat -A floodprot -p icmp --icmp-type echo-request -j DROP iptables -t nat -A floodprot -p udp --dport 33400:33499 --sport \ 50000:65535 -m limit --limit 4/s ! -f -j RETURN iptables -t nat -A floodprot -p udp --dport 33400:33499 --sport \ 50000:65535 -j DROP But is there a better (=simpler) way to do that? Also if I happen to have a bunch of interfaces that are not supposed to get any routing and/or nat from this box, tracking connections on them seems to be waste of resources to me - there probably is no way to turn connection tracking off for some interface pairs? - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
