View Single Post
  #1   (View Single Post)  
Old 13th May 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: New Zealand
Posts: 2,201
Default iptables: overload on max-src-conn-rate?

So this is what I use in pf:

Code:
table <oloadtbl> persist

pass in log on $if proto tcp from any to $ip1 port ssh keep state \
  (max 30 max-src-conn 29 max-src-conn-rate 30/60 source-track overload <oload> flush global)
And cron does:
Code:
       *       *       *       *       root /sbin/pfctl -t oloadtbl -T expire 600 > /dev/null 2>&1
so the question is how do I accomplish the same with iptables? I can't seem to figure that out.

I found some solution in teh interwebz, but to be honest, I don't quite understand them and I'm not going to copy/paste stuff I don't understand from sites I've never heard of.

For example from http://www.cyberciti.biz/tips/howto-...n-attacks.html

Code:
iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state
What does -s 0/0 do? Does this match any address? No address at all?

Why is the source port defined? Is that necessary?

Why do explicitly give the states? and why NEW and ESTABLISHED and not just one?

Is this *really* the easiest and most straightforward way to accomplish this?

... Maybe someone with more experience can explain this to me ...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.

Last edited by Carpetsmoker; 13th May 2011 at 09:35 PM.
Reply With Quote