The first time I used RETURN was today. -A syn-flood -m limit --limit 6/s --limit-burst 10 -j RETURN As I pasted in the message below, as it is useful in these situations in which you need to limit packets per second. -----Original Message----- From: Peter Marshall [mailto:peter.marshall@xxxxxxxxx] Sent: Friday, June 04, 2004 10:02 AM To: Piszcz, Justin Michael; netfilter Subject: Re: return I don't mean to sound rude .. but your response ( as far as I can tell .. and I apologize if I am missing something) has nothing to do with my question .. at all ... Peter ----- Original Message ----- From: "Piszcz, Justin Michael" <justin.piszcz@xxxxxxxxxxxx> To: "Peter Marshall" <peter.marshall@xxxxxxxxx>; "netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Friday, June 04, 2004 10:49 AM Subject: RE: return I do after reading this message: Now that I've got ipt_recent installed and running, I'd be grateful for comments or rule samples that could work best to ameliorate syn-floods. (The site I'm working on has been the target of moderate-to-large-sized syn-floods for a few months now, ongoing.) I've been using this approach: -N syn-flood -A syn-flood -m limit --limit 6/s --limit-burst 10 -j RETURN -A syn-flood -j LOG --log-prefix "SYN-FLOOD: " -A syn-flood -j DROP -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i eth0 -p tcp --syn -j syn-flood ...and, on the high-traffic site involved, have had occasions when the machine became unreachable, the server load too high. Someone suggested ipt_recent could handle this matter more accurately. I found a rule on the web that someone was using, and tried that a few minutes ago, with this approach: -N syn-flood -A syn-flood -j LOG --log-prefix "SYN-FLOOD: " -A syn-flood -j DROP -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i eth0 -p tcp --syn -m recent --hitcount 10 --update \ --seconds 60 -j syn-flood ...but very soon _no one_ could get a server connection, with that. My 'mental model' of how ipt_recent is working must not be correct -- at least, I don't understand why the '--limit' ruleset seems to allow normal traffic under most conditions but the '-m recent' rule kept normal users from getting in, just a few minutes ago. If anyone knows what I'm missing in my understanding of this, or has a ruleset that works well to ameliorate syn-flooding, please let me know. Thanks kindly, -- -- Jeff -- <http://www.wellnow.com> "There's nothing left in the world to prove. All that's worth doing is to love one another, using whatever means are available to serve." -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Peter Marshall Sent: Friday, June 04, 2004 9:39 AM To: netfilter Subject: return I was just wondering if anyone here uses "return" in their rules .. I understand what it is for .. just wondering if it is efficient to use. ex. -A Forward -s 192.168.200.5 -o eth1 -j subchain1 -A Forward -s 192.168.200.0/24 -o eth1 -j subchain2 -A subchain1 -d 200.200.200.200 --dport 1234 -j ACCEPT -A subchain1 -d 200.200.300.300 --dport 4321 -j ACCEPT -A subchain1 -j RETURN -A subchain2 .......... blah blah blah .... Or would you just write the rules different ? Also, I was wondering is there a way to specify multiple source ip address ? ex -s 192.168.200.5, 192.168.200.20 ..... Thank you, Peter. Peter Marshall, BCS Network Administrator, CARIS 115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA Phone: (506) 458-8533 (Reception)
