On 11/24/2015 04:23 PM, Kiss Gábor wrote: > This morning I checked some of pool servers and I found that a few clients > send enermous amount of NTP requests. > I decided to limit the rate of this traffic by iptables. > I applied these rules: > -A INPUT --protocol udp --dport ntp --match hashlimit --hashlimit 100/hour > --hashlimit-mode srcip --hashlimit-name ntp_ratelimit --jump ACCEPT
This will most likely not do what you want, as you're not setting --hashlimit-htable-expire, and IIRC it defaults to 10 seconds or something equally ridiculous. That means IPs that do not send any packets to you for (10 seconds + garbage collection interval) will drop out of the table and start fresh. If that is a rule that gets used a lot, you will also want to increase --hashlimit-htable-size. I do not see a --hashlimit-srcmask either, but that would probably make sense. Last but not least I think a limit of 100/hour does not make much sense. > How much kernel memory will that use on a busy server? We use something like this on a very busy server, as in about 2000 packets/second busy, and although I cannot give you numbers about how much of that is kernel memory from the hashlimit tables, that machine peaks at 750 MB of RAM usage for the whole system. Unless you're on something very small embedded, that really isn't going to be a problem on any current machine. BTW: It might be a good idea to add something like > iptables -t raw -A PREROUTING -p udp --dport 123 -j NOTRACK > iptables -t raw -A OUTPUT -p udp --sport 123 -j NOTRACK if you're not matching on any connection state in your firewall, to make sure you're not wasting cpu-cycles and memory on tracking connections that make no sense to be tracked. (Note: notrack uses a different syntax in newer kernels) Regards, -- Michael Meier, Zentrale Systeme Friedrich-Alexander-Universitaet Erlangen-Nuernberg Regionales Rechenzentrum Erlangen Martensstrasse 1, 91058 Erlangen, Germany Tel.: +49 9131 85-28973, Fax: +49 9131 302941 [email protected] www.rrze.fau.de _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
