On 03/10/2018 10:16 PM, Florian Westphal wrote:
> Toralf Förster <toralf.foers...@gmx.de> wrote:
>> At my server (stable hardened Gentoo with vanilla 4.15.7) I do have this 
>> rule:
>>
>> /sbin/iptables -A OUTPUT -p tcp --destination-port 443 --syn --match 
>> connlimit --connlimit-above 3000 --connlimit-mask 0 --connlimit-daddr 
>> --match limit --limit 1/second --limit-burst 1 -j LOG --log-prefix "443 
>> hammered "
>>
>> Sometimes (usually after 2-4 days uptime) however this rule fires too often 
>> - even over hours.
>>
>> When I restart the iptable script then the rule stopps to fire. This 
>> happened few times in a row over the last weeks. So I'm convinced that there 
>> wasn't an external event related to this behaviour.
> 
> You could check via conntrack -L.

HHm, the output of "conntrack -L" let me wonder if the rule gave the output I 
wanted to achieve.
I'd like to get a log entry, if there are more than 3,000 new SYN connections 
within the last second, not, if there are 3,000 SYN at all.
So I'm pretty unsure, if the iptables rule is the right one?

-- 
Toralf
PGP C4EACDDE 0076E94E
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to