Hello, Guillaume Tamboise a écrit :
I used to rate limit the number of incoming HTTP connections in Etch, using these iptables statements: iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --set --name HTTP iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 --name HTTP -j LOG --log-prefix "HTTP_DoS " iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 --name HTTP -j DROP iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT The second statement gives this in Lenny: iptables: Invalid argument The only way to get iptables to accept this statement is to remove the hitcount.
From ChangeLog-2.6.25 :
[NETFILTER]: ipt_recent: sanity check hit count If a rule using ipt_recent is created with a hit count greater than ip_pkt_list_tot, the rule will never match as it cannot keep track of enough timestamps. This patch makes ipt_recent refuse to create such rules. With ip_pkt_list_tot's default value of 20, the following can be used to reproduce the problem. nc -u -l 0.0.0.0 1234 & for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done This limits it to 20 packets: iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \ --rsource iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \ 60 --hitcount 20 --name test --rsource -j DROP While this is unlimited: iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \ --rsource iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \ 60 --hitcount 21 --name test --rsource -j DROP With the patch the second rule-set will throw an EINVAL.
Maybe this is the explanation if you use a kernel version 2.6.25 or above, such as a 2.6.26 kernel from lenny. You may try to increase the packet list length to at least 50 using the parameter "ip_pkt_list_tot" of the module ipt_recent (note that this module is renamed xt_recent in kernel version 2.6.28 and above, but the "ipt_recent" alias should be kept). IIRC this can be done by adding an "options" statement in /etc/modprobe.conf or /etc/modprobe.d/ (I haven't been doing that for too much time).
options ipt_recent ip_pkt_list_tot=50 -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org