Re: iptables ip tracking buffer size?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/03/17 18:20, Matthew Sims wrote:
Quick backstory. I recently took over an unused project from a co-worker
who left over a year ago. The idea was to block IPs that reached a certain
hit_count limit within a minute.

You don't need "a project" you just need the "recent" match and a branch chain.

Consider this set of rules for throttling SSH attempts to five per hour.


iptables --new-chain SSHTHROTTLE

iptables --append SSHTHROTTLE --match recent --name bad_actors --update --seconds 86400 --jump DROP

iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip --hashlimit-burst 2 --jump ACCEPT

iptables --append SSHTHROTTLE --match recent --name bad_actors --set --jump DROP

iptables --append INPUT --in-interface ext+ --proto tcp --match conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE


So the core thing is the three rules in the SSHTHROTTLE chain. How does it do what you want?

In the _last_ rule of the chain, the source ip address is added to the "bad_actors" set and the packet is dropped.

In the first rule the "--match recent" with "--update" is only true if the packet's source ip address is already in the "bad_actors" set. So it only does the DROP if some previous pass through the chain got all the way to the end of the chain.

So the middle rule, the hashlimit rule will ACCEPT up to five attempts an hour. Since "ACCEPT" stops the chain evaluation the "hashlimit" allows up to five connections an hour. So as long as the client never does six or more an hour he's fine.

Now back to that first rule. The --seconds value (one day in this case) acts as a grace period. If the bad actor goes away for a day then the match will miss and they can proceed with a new connection. Since the recent match is less than the penalty time they are forgiven their past sins and they are back to five connections an hour.

NOTE: using "-j RETURN" instead of "-j ACCEPT" will make this logic work without actually accepting the packet, so you can have this kind of gate without the gate needing to be the point of authorization. By that I mean that the throttling doesn't have to be tied to the details of the rule.

So playing around with timing and other parameters, and using other conditions on the call rule can let one gate/throttle be part of many sequences without making things hard.

You need one chain per throttle group, but you can have lots of different throttles by using different names in the recent and [hash]limit stanzas.

Eventually you will hit limits if you've got thousands of entries in the limits and whatnot because memory is a finite resource.

But you don't need complex code or any kind of external program to pull off these throttles.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux