iptables and limit module - Security

This is a discussion on iptables and limit module - Security ; Hi! I think I may be misunderstanding rule precedence... I'm trying to limit SYN packets, "new" UDP flows, and ICMP traffic. First, here's what I tried for ICMP (IPT=/sbin/iptables): $IPT -A inbound -p icmp -m limit --limit 1/s --limit-burst 5 ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: iptables and limit module

  1. iptables and limit module

    Hi!

    I think I may be misunderstanding rule precedence... I'm trying to
    limit SYN packets, "new" UDP flows, and ICMP traffic. First, here's
    what I tried for ICMP (IPT=/sbin/iptables):

    $IPT -A inbound -p icmp -m limit --limit 1/s --limit-burst 5 -
    j ACCEPT
    $IPT -A inbound -p icmp -s 0/0 -j ACCEPT

    $IPT -A INPUT -p icmp -j inbound

    This did not have the desired effect. When I replaced the first two
    lines above with:

    $IPT -A inbound -p icmp -s $any --icmp-type 8 \
    -m limit --limit 1/s --limit-burst 5 -j ACCEPT

    ....everything worked. But why? I had hoped to limit SYN packets
    with:

    $IPT -A inbound -p tcp --syn -m limit --limit 4/s --limit-
    burst 10 -j ACCEPT

    ....followed by rules for specific protocols and a follow-on rule to
    push TCP traffic from INPUT to inbound, but a quick test with hping
    proves that this is not the case. Are rules processed in order, or
    according to a best match scheme? Or am I missing something else?
    Any clues appreciated!!!

    -r


  2. Re: iptables and limit module

    Bug wrote:

    > Hi!
    >
    > I think I may be misunderstanding rule precedence... I'm trying to
    > limit SYN packets, "new" UDP flows, and ICMP traffic. First, here's
    > what I tried for ICMP (IPT=/sbin/iptables):
    >
    > $IPT -A inbound -p icmp -m limit --limit 1/s --limit-burst 5 -
    > j ACCEPT
    > $IPT -A inbound -p icmp -s 0/0 -j ACCEPT
    >
    > $IPT -A INPUT -p icmp -j inbound


    This means:
    If icmp packets are blocked due to exceeding your limitations they will be
    processed by the following rule which accepts all icmp packets. That's why
    it does not work. Leave out the second rule and it'll work as expected.

    >
    > This did not have the desired effect. When I replaced the first two
    > lines above with:
    >
    > $IPT -A inbound -p icmp -s $any --icmp-type 8 \
    > -m limit --limit 1/s --limit-burst 5 -j ACCEPT


    This time there's no rule accepting packets exceeding limitations. You don't
    need to specify source here, if you don't, source is set to 0/0 by default.

    >
    > ...everything worked. But why? I had hoped to limit SYN packets
    > with:
    >
    > $IPT -A inbound -p tcp --syn -m limit --limit 4/s --limit-
    > burst 10 -j ACCEPT
    >
    > ...followed by rules for specific protocols and a follow-on rule to
    > push TCP traffic from INPUT to inbound, but a quick test with hping
    > proves that this is not the case. Are rules processed in order, or
    > according to a best match scheme? Or am I missing something else?


    Rules are processed in order and first matching rule wins.
    But: If a rule does not match (and exceeding limitations is like "not
    match") packets are not dropped, they are not processed by that rule at
    all. Instead the next rule is tried. And that rule may very well still
    accept packets.

    For what you plan on TCP SYN packets, do it like this:

    $IPT -A inbound -p tcp --syn -m limit --limit 4/s --limit-burst 10 -j
    tcp-filter
    $IPT -A inbound -p tcp --syn -j DROP

    then set up all protocol-specific rules in tcp-filter chain. This will
    forward all traffic within limitations to their protocol specific rules and
    drop all traffic exceeding limitations.

    Hope that helps,
    Felix

  3. Re: iptables and limit module


    > Rules are processed in order and first matching rule wins.
    > But: If a rule does not match (and exceeding limitations is like "not
    > match") packets are not dropped, they are not processed by that rule at
    > all. Instead the next rule is tried. And that rule may very well still
    > accept packets.


    Ah ("sound" of light bulb turning on)...

    > For what you plan on TCP SYN packets, do it like this:
    >
    > $IPT -A inbound -p tcp --syn -m limit --limit 4/s --limit-burst 10 -j
    > tcp-filter
    > $IPT -A inbound -p tcp --syn -j DROP
    >
    > then set up all protocol-specific rules in tcp-filter chain. This will
    > forward all traffic within limitations to their protocol specific rules and
    > drop all traffic exceeding limitations.


    Beautiful explanation! It is now perfectly clear. Thank you!!!

    -r

+ Reply to Thread