DaemonForums  

Go Back   DaemonForums > Other Operating Systems > Other BSD and UNIX/UNIX-like

Other BSD and UNIX/UNIX-like Any other flavour of BSD or UNIX that does not have a section of its own.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th May 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,068
Thanked 198 Times in 156 Posts
Default iptables: overload on max-src-conn-rate?

So this is what I use in pf:

Code:
table <oloadtbl> persist

pass in log on $if proto tcp from any to $ip1 port ssh keep state \
  (max 30 max-src-conn 29 max-src-conn-rate 30/60 source-track overload <oload> flush global)
And cron does:
Code:
       *       *       *       *       root /sbin/pfctl -t oloadtbl -T expire 600 > /dev/null 2>&1
so the question is how do I accomplish the same with iptables? I can't seem to figure that out.

I found some solution in teh interwebz, but to be honest, I don't quite understand them and I'm not going to copy/paste stuff I don't understand from sites I've never heard of.

For example from http://www.cyberciti.biz/tips/howto-...n-attacks.html

Code:
iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state
What does -s 0/0 do? Does this match any address? No address at all?

Why is the source port defined? Is that necessary?

Why do explicitly give the states? and why NEW and ESTABLISHED and not just one?

Is this *really* the easiest and most straightforward way to accomplish this?

... Maybe someone with more experience can explain this to me ...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.

Last edited by Carpetsmoker; 13th May 2011 at 09:35 PM.
Reply With Quote
  #2   (View Single Post)  
Old 13th May 2011
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 699
Thanked 90 Times in 81 Posts
Default

-s 0/0 matches any source address. It's long-hand for "any", or shorthand for "0.0.0.0/0". It's annoying that iptables doesn't understand the words "any" or "all" for addresses.

That's about the extent of my iptables knowledge in relation to this post.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #3   (View Single Post)  
Old 13th May 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,068
Thanked 198 Times in 156 Posts
Default

Right, thanks ... --protocol does supports "all" by the way ... 0/0 wasn't mentioned in the manpage anywhere though :-/

I spent pretty much all day configuring our new CentOS VPS at work ... We needed to get that up and running today and the only guy who knows CentOS/Linux had a day off today :-/

There were quite a few surprises along the way, and my head is itchy from being scratched so much ...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Run multiple services on one port and use PF's overload to switch between them Carpetsmoker Guides 0 12th May 2010 10:44 PM
transfer rate zomo OpenBSD General 7 26th January 2009 03:00 AM
OpenBSD 4.4 and refresh rate 75 mfaridi OpenBSD Installation and Upgrading 8 12th November 2008 12:05 PM
spoofing with iptables dk_netsvil General software and network 6 29th October 2008 08:22 PM
iptables fw redundancy revzalot Other BSD and UNIX/UNIX-like 3 17th June 2008 04:51 PM


All times are GMT. The time now is 10:25 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick