Weblog entry #2 for nasser
See all weblog entries made by nasser.
#2
limit feature in iptables
Posted by nasser on Thu 28 Jun 2007 at 18:25
The limit feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.In this example, ICMP echo requests are restricted to no more than one per second. When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms.
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
Comments on this Entry
To expand upon this example a little, I like rules similar to these:
-A RESERVED_NET_CHK -s 10.0.0.0/255.0.0.0 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class A address: " --log-level 6 -A RESERVED_NET_CHK -s 172.16.0.0/255.240.0.0 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class B address: " --log-level 6 -A RESERVED_NET_CHK -s 192.168.0.0/255.255.0.0 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class C address: " --log-level 6 -A RESERVED_NET_CHK -s 169.254.0.0/255.255.0.0 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class M$ address: " --log-level 6 -A RESERVED_NET_CHK -s 10.0.0.0/255.0.0.0 -j DROP -A RESERVED_NET_CHK -s 172.16.0.0/255.240.0.0 -j DROP -A RESERVED_NET_CHK -s 192.168.0.0/255.255.0.0 -j DROP -A RESERVED_NET_CHK -s 169.254.0.0/255.255.0.0 -j DROP -A SPOOF_CHK -s 192.168.1.0/255.255.255.248 -i eth1 -j RETURN -A SPOOF_CHK -s 192.168.1.0/255.255.255.248 -i eth2 -j RETURN -A SPOOF_CHK -s 192.168.1.0/255.255.255.248 -m limit --limit 3/min -j LOG --log-prefix "Spoofed packet: " --log-level 6 -A SPOOF_CHK -s 192.168.1.0/255.255.255.248 -j DROP -A SPOOF_CHK -s 10.0.0.0/255.255.255.248 -i eth1 -j RETURN -A SPOOF_CHK -s 10.0.0.0/255.255.255.248 -i eth2 -j RETURN -A SPOOF_CHK -s 10.0.0.0/255.255.255.248 -m limit --limit 3/min -j LOG --log-prefix "Spoofed packet: " --log-level 6 -A SPOOF_CHK -s 10.0.0.0/255.255.255.248 -j DROP -A SPOOF_CHK -j RETURN -A SSH -m recent --set --name sshchk --rsource -A SSH -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "SSH Brute force attack: " --log-level 6 -A SSH -j DROP( See apt-cache policy arno-iptables-firewall ) -Sx- http://youve-reached-the.endoftheinternet.org/
[ Parent | Reply to this comment ]
Posted by Anonymous (87.177.xx.xx) on Tue 6 May 2008 at 20:59
> "When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms."
But take care: When tuned incorrectly, this feature does the opposite: Helping any attacker in denial of service attacks. Instead of having to initiate enough connections to bring the whole server down, it then may be sufficient to just start enough connections to activate the firewall rules.
But take care: When tuned incorrectly, this feature does the opposite: Helping any attacker in denial of service attacks. Instead of having to initiate enough connections to bring the whole server down, it then may be sufficient to just start enough connections to activate the firewall rules.
[ Parent | Reply to this comment ]