you can probabaly do what you want with u32 http://www.stearns.org/doc/iptables-u32.v0.1.7.html But, I've never used it before, i only know it can do something like that. On the other hand, why do you want to limit it? it may burn a few cpu cycle on your dns server, but you can always rate limit at application level. On Tue, Jan 29, 2013 at 2:10 AM, Tom <tom@xxxxxxxx> wrote: > Greetings, > > I'm trying to match DNS ANY type queries and rate limit them with iptables. > An imperfect way of doing this is in use at the moment: > > -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" > --algo bm --from 50 --to 65535 -m recent --set --name dnsanyqueryudp > --rsource > -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" > --algo bm --from 50 --to 65535 -m recent --rcheck --seconds 60 --hitcount > 100 --name dnsanyqueryudp --rsource -j ANYRATELIMIT > > What I want is a way of checking the byte which is at a negative offset from > the end of the payload, so I can match only the byte I need. Is there any > mechanism at all by which I can do this? > > It's annoying that the query type always comes after the variable length > query in DNS! > > Thanks for any help. > > Tom. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
