[CentOS] iptables: hitcount
Hello, up to CentOS 5.3 it was possible, to control new ip connections by recent, seconds and hitcount -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 80 -j LOG --log-prefix FW DROP IP Flood: -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT so that - short time high new connections rate for the web server where accepted, but not over a longer time. E.g. CentOS 5.8 or CentOS 6.2 accept only -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 -A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 15 -p tcp --dport 80 -j LOG --log-prefix FW DROP IP Flood: -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT So a complex web page with many small icons e.g. webmail pages initiate the log in line 2 and drop in line 3 . hitcount does not accept values of 25 or above: [root@server ~]# iptables -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 [root@server~]# iptables -A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 25 -p tcp --dport 80 -j LOG --log-prefix FW DROP IP Flood: iptables: Unknown error 4294967295 what can i do to protect the web server? Is there any any configuration parameter to increase the values for hitcount? Best regards Helmut Drodofsky -- Viele Grüße Helmut Drodofsky Internet XS Service GmbH Heßbrühlstraße 15 70565 Stuttgart Geschäftsführung Dr.-Ing. Roswitha Hahn-Drodofsky HRB 21091 Stuttgart USt.ID: DE190582774 Tel. 0711 781941 0 Fax: 0711 781941 79 Mail: i...@internet-xs.de www.internet-xs.de ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables: hitcount
Hello Helmut, On Mon, 2012-06-11 at 11:54 +0200, Helmut Drodofsky wrote: up to CentOS 5.3 it was possible, to control new ip connections by recent, seconds and hitcount -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 80 -j LOG --log-prefix FW DROP IP Flood: -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT hitcount does not accept values of 25 or above: 20* on CentOS-5 afaict. [root@server ~]# iptables -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 [root@server~]# iptables -A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 25 -p tcp --dport 80 -j LOG --log-prefix FW DROP IP Flood: iptables: Unknown error 4294967295 I suggest you take this upstream. Apparently there are quite a few issues between the various kernel and iptables verions and also the different architectures. https://bugzilla.redhat.com/show_bug.cgi?id=639026 seems to be the issue you are experiencing. (Note that 4294967295 = 2^32-1 and 18446744073709551615 = 2^64-1, which makes me believe the reporter of the above bug runs on x86_64 and you're probably running a 32 bit system. These things should be mentioned when you report bugs as well as the CentOS and package versions you are conducting your tests on/with.) Try to google for site:bugzilla.redhat.com iptables: Unknown error 4294967295 and site:bugzilla.redhat.com iptables: Unknown error 18446744073709551615 for more related bugzilla entries. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] IPTABLES --hitcount maximum value
Is the maximum permitted value for --hitcount documented anywhere? I reliably get a iptables-restore error when I specify a hitcount value greater than 20 but I cannot find any mention of there being a maximum value. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] IPTABLES --hitcount maximum value
In-Reply-To: 4b30f618.6060...@kinzesberg.de On: Tue, 22 Dec 2009 17:38:48 +0100, Dirk H. Schulz dirk.sch...@kinzesberg.de wrote: That is a new phenomenon I also ran into. You now have to adjust memory values. I have added to my /etc/modprobe.conf options ipt_recent ipt_pkt_list_tot=75 Now I can use hitcount values of 50 (did not test if the above is sufficient for higher values). I found this on the net so I deduce that you would be safe up to a hitcount value of 75. [PATCH] netfilter: ipt_recent: sanity check hit count From: Daniel Hokka Zakrisson Date: Sat Mar 15 2008 - 10:11:05 EST If a rule using ipt_recent is created with a hit count greater than ip_pkt_list_tot, the rule will never match as it cannot keep track of enough timestamps. This patch makes ipt_recent refuse to create such rules. With ip_pkt_list_tot's default value of 20, . . . Thanks for the lead. Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos