* iptables ip tracking buffer size?
@ 2017-03-03 18:20 Matthew Sims
2017-03-03 19:09 ` Pascal Hambourg
2017-03-06 20:30 ` Robert White
0 siblings, 2 replies; 3+ messages in thread
From: Matthew Sims @ 2017-03-03 18:20 UTC (permalink / raw)
To: netfilter
Quick backstory. I recently took over an unused project from a co-worker
who left over a year ago. The idea was to block IPs that reached a certain
hit_count limit within a minute.
When this was enabled, it worked...sort of. While iptables was keeping
track of IPs, we weren't able to block when tests were performed.
The reason had something to do with IPs in a "buffer pool" (??) were being
knocked out when new IPs were tracked? I don't have the actual issue as he
never documented it. I'm guessing that while iptables was keeping track of
hit_counts, the list grew so big that it had to bump out IPs at the end of
the list to track new ones.
This is the best I can do to describe this and wondered if anyone knows
about this. I don't have a name that allows me to research this so its been
difficult to find a solution.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables ip tracking buffer size?
2017-03-03 18:20 iptables ip tracking buffer size? Matthew Sims
@ 2017-03-03 19:09 ` Pascal Hambourg
2017-03-06 20:30 ` Robert White
1 sibling, 0 replies; 3+ messages in thread
From: Pascal Hambourg @ 2017-03-03 19:09 UTC (permalink / raw)
To: Matthew Sims; +Cc: netfilter
Le 03/03/2017 à 19:20, Matthew Sims a écrit :
> Quick backstory. I recently took over an unused project from a co-worker
> who left over a year ago. The idea was to block IPs that reached a certain
> hit_count limit within a minute.
>
> When this was enabled, it worked...sort of. While iptables was keeping
> track of IPs, we weren't able to block when tests were performed.
>
> The reason had something to do with IPs in a "buffer pool" (??) were being
> knocked out when new IPs were tracked? I don't have the actual issue as he
> never documented it. I'm guessing that while iptables was keeping track of
> hit_counts, the list grew so big that it had to bump out IPs at the end of
> the list to track new ones.
You may be talking about the "recent" match.
The iptables or iptables-extensions manpage describes how to tune its
table sizes.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables ip tracking buffer size?
2017-03-03 18:20 iptables ip tracking buffer size? Matthew Sims
2017-03-03 19:09 ` Pascal Hambourg
@ 2017-03-06 20:30 ` Robert White
1 sibling, 0 replies; 3+ messages in thread
From: Robert White @ 2017-03-06 20:30 UTC (permalink / raw)
To: Matthew Sims, netfilter
On 03/03/17 18:20, Matthew Sims wrote:
> Quick backstory. I recently took over an unused project from a co-worker
> who left over a year ago. The idea was to block IPs that reached a certain
> hit_count limit within a minute.
You don't need "a project" you just need the "recent" match and a branch
chain.
Consider this set of rules for throttling SSH attempts to five per hour.
iptables --new-chain SSHTHROTTLE
iptables --append SSHTHROTTLE --match recent --name bad_actors --update
--seconds 86400 --jump DROP
iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name
ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip
--hashlimit-burst 2 --jump ACCEPT
iptables --append SSHTHROTTLE --match recent --name bad_actors --set
--jump DROP
iptables --append INPUT --in-interface ext+ --proto tcp --match
conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE
So the core thing is the three rules in the SSHTHROTTLE chain. How does
it do what you want?
In the _last_ rule of the chain, the source ip address is added to the
"bad_actors" set and the packet is dropped.
In the first rule the "--match recent" with "--update" is only true if
the packet's source ip address is already in the "bad_actors" set. So it
only does the DROP if some previous pass through the chain got all the
way to the end of the chain.
So the middle rule, the hashlimit rule will ACCEPT up to five attempts
an hour. Since "ACCEPT" stops the chain evaluation the "hashlimit"
allows up to five connections an hour. So as long as the client never
does six or more an hour he's fine.
Now back to that first rule. The --seconds value (one day in this case)
acts as a grace period. If the bad actor goes away for a day then the
match will miss and they can proceed with a new connection. Since the
recent match is less than the penalty time they are forgiven their past
sins and they are back to five connections an hour.
NOTE: using "-j RETURN" instead of "-j ACCEPT" will make this logic work
without actually accepting the packet, so you can have this kind of gate
without the gate needing to be the point of authorization. By that I
mean that the throttling doesn't have to be tied to the details of the rule.
So playing around with timing and other parameters, and using other
conditions on the call rule can let one gate/throttle be part of many
sequences without making things hard.
You need one chain per throttle group, but you can have lots of
different throttles by using different names in the recent and
[hash]limit stanzas.
Eventually you will hit limits if you've got thousands of entries in the
limits and whatnot because memory is a finite resource.
But you don't need complex code or any kind of external program to pull
off these throttles.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-03-06 20:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-03 18:20 iptables ip tracking buffer size? Matthew Sims
2017-03-03 19:09 ` Pascal Hambourg
2017-03-06 20:30 ` Robert White
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.