Re: IPtables rate limiting question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>*raw
>:PREROUTING ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>:limitban - [0:0]
>-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
>-A limitban -m set --match-set banned src -j DROP
>-A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900
>-A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src
>-A limitban -m set --match-set banned src -j DROP
>COMMIT

>For this ruleset to be loadable, you'll first need to create the ipset that it references.

># ipset create banned hash:ip timeout 1800

Regarding not mentioning the tables, I was using *nat table for the
PREROUTING and before tried to use the DROP rules on the *filter
table, which was not dropping the traffic.

Ok so the ipset suggestion worked! The current setup that worked is
putting the DROP rules on the *raw table PREROUTING and the SET rules
on the *nat table PREROUTING. Also created 1 ipset for each use case.

Thank you very much for the help!
On Thu, Oct 31, 2024 at 11:54 AM Francisco Agostinho
<f.agostinho123@xxxxxxxxx> wrote:
>
> >*raw
> >:PREROUTING ACCEPT [0:0]
> >:OUTPUT ACCEPT [0:0]
> >:limitban - [0:0]
> >-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
> >-A limitban -m set --match-set banned src -j DROP
> >-A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900
> >-A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src
> >-A limitban -m set --match-set banned src -j DROP
> >COMMIT
>
> >For this ruleset to be loadable, you'll first need to create the ipset that it references.
>
> ># ipset create banned hash:ip timeout 1800
>
> Regarding not mentioning the tables, I was using *nat table for the
> PREROUTING and before tried to use the DROP rules on the *filter
> table, which was not dropping the traffic.
>
> Ok so the ipset suggestion worked! The current setup that worked is
> putting the DROP rules on the *raw table PREROUTING and the SET rules
> on the *nat table PREROUTING. Also created 1 ipset for each use case.
>
> Thank you very much for the help!
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> Sem vírus.www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> On Fri, Oct 25, 2024 at 7:14 PM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
> >
> > On Fri, 25 Oct 2024, at 4:19 PM, Francisco Agostinho wrote:
> > > Hello, I'm trying to implement a rate limiting for my machine using
> > > iptables. The use case is to do 2 things:
> > >
> > > 1) block traffic from the same ip+port combination for 15 minutes if
> > > it gets more than 10 hits per minute.
> > >
> > > 2) block traffic from the same ip for 30 minutes if it gets more than
> > > 80 hits per minute.
> > >
> > > For this I'm currently using these rules:
> > >
> > > 1) -A PREROUTING -p tcp -m tcp -m state --state NEW -m hashlimit
> > > --hashlimit-above 10/minute --hashlimit-burst 10 --hashlimit-mode
> > > srcip,dstport --hashlimit-name test10 --hashlimit-htable-expire 900000
> > > -j ACCEPT
> > >
> > > 2) -A PREROUTING -p tcp -m tcp -m state --state NEW -m hashlimit
> > > --hashlimit-above 80/minute --hashlimit-burst 80 --hashlimit-mode
> > > srcip --hashlimit-name test80 --hashlimit-htable-expire 1800000 -j
> > > ACCEPT
> >
> > Why is --hashlimit-above being combined with a verdict of ACCEPT?
> >
> > >
> > > But it's not quite working, as soon as it gets on the list, if you get
> > > another hit the timer gets reset to the default expire time and it
> > > gets blocked on the first try even if after the expire. So are there
> > > any suggestions on how to achieve the use case or what i'm doing
> > > wrong?
> >
> > I would suggest disentangling all three of the following concerns:
> >
> > - determining whether a rate limit has been exceeded
> > - adding to a set of banned addresses (with attached timeout values)
> > - consulting the set to determine whether a given address has been banned
> >
> > To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format.
> >
> > *raw
> > :PREROUTING ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > :limitban - [0:0]
> > -A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
> > -A limitban -m set --match-set banned src -j DROP
> > -A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900
> > -A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src
> > -A limitban -m set --match-set banned src -j DROP
> > COMMIT
> >
> > For this ruleset to be loadable, you'll first need to create the ipset that it references.
> >
> > # ipset create banned hash:ip timeout 1800
> >
> > --
> > Kerin Millar





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux