Limiting outbound connections and using the QUEUE target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

i'm using a linux host as a router to perform some security testing. The testing is typically towards tcp based services. Currently the router is setup like this, with my test traffic coming into the box on eth0, exiting on eth1:

eth0 192.168.1.1/30
eth1 10.1.0.1/23

Due to policy from a networking group, I need to ensure that the number of established connections during my testing never exceeds 20 connections thru other devices that i may traverse beyond my linux router. I'm not as concerned with bandwidth as i am with state tables on downstream devices i have no control over. It seems to me that this could be accomplished if i can ensure that established connections from eth1 do not exceed 20 connections.

So, after a really quick peek at iptables(8) i came up with:

iptables -A OUTPUT -o eth1 -p tcp -m connlimit --connlimit-above 20 -j LOG --log-prefix "rl-queue: "
iptables -A OUTPUT -o eth1 -p tcp -m connlimit --connlimit-above 20 -j QUEUE

and maybe better using --syn:

iptables -A OUTPUT -o eth1 -p tcp --syn -m connlimit --connlimit-above 20  -j LOG --log-prefix "rl-queue: "
iptables -A OUTPUT -o eth1 -p tcp --syn -m connlimit --connlimit-above 20 -j QUEUE

This definitely seems to be limiting traffic, but i'm not really sure if it's what i'm after and if the QUEUE target is working like i think it is (probably not). I guess my questions are:

- does anyone have any suggestions on rules that will help me limit the number of connections outbound

- can the QUEUE target act as a fifo queue, or is it entirely dependent on something in userspace to queue the packets up and send them back to iptables when the rate limiting numbers have dropped below the threshold?

I'm really concerned with the queuing aspect because i don't want potentially important packets from a portscan to get dropped on my side and an open port go undetected.


thanks for any suggestions!

-samson



      
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux