From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@lists.netfilter.org
Subject: Re: Aren't these connections ESTABILISHED? (2nd take)
Date: Sat, 1 Oct 2005 19:07:26 -0500 [thread overview]
Message-ID: <200510011907.27026.rob0@gmx.co.uk> (raw)
In-Reply-To: <dhmn38$hsk$1@sea.gmane.org>
On Saturday 2005-October-01 14:12, Gioele Barabucci wrote:
> I spend the last weeks doing experiments with iptables but still I
> have problems with connections that should be ESTABILISHED but are
You have it spelled correctly in the script, but perhaps you should
check again. ESTABLISHED != ESTABILISHED. I am not sure if iptables
would complain about that or not, but it's always safest to spell
things correctly. :)
> not.
>
> Postfix does some DNS lookups on the DNS server (69.93.28.254). After
FWIW: my Postfices do tons of DNS lookups, so much so, that I would
never run without a caching nameserver on the same machine.
> a bit, iptables forget that the connection is ESTABILISHED and DROPs
> the reply.
When that happens you might want to check the conntrack table. Perhaps
even script something to run from -j ULOG when a packet is dropped.
Is anything not working? I have a feeling these are just occasional
strays that ip_conntrack isn't catching for some reason.
> My logs are full of dropped packets like these
> 05:32:33 69.93.28.254 53 myIP 2755 UDP
You *are* getting these from netfilter logs, correct? You have just
removed all the superfluous information for readability?
> Here is my ruleset (BTW, I did not test much the "limit SMTP trafic",
> do you think that it is correct?)
snip
> echo "Limit smtp traffic"
> iptables -I INPUT -p tcp --dport smtp -i eth0 -m state --state NEW -m
> recent --set
> iptables -I INPUT -p tcp --dport smtp -i eth0 -m state --state NEW -m
> recent --update --seconds 30 --hitcount 4 -j DROP
I have not yet used -m recent. Without RTFM it looks like you are
wanting to limit to limit any IP to 4 new connections per 30 second
period. If the problem is dictionary attacks be advised that this might
not help at all. The attacker could be attempting as many as
smtpd_recipient_limit (default 1000) usernames in a single session.
Also, I'm not sure it would do anything at all, because there cannot be
that many --state NEW connections in such a short time. Conntrack would
call those "RELATED". I think you should try --syn, not --state NEW.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
next prev parent reply other threads:[~2005-10-02 0:07 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-01 19:12 Aren't these connections ESTABILISHED? (2nd take) Gioele Barabucci
2005-10-02 0:07 ` /dev/rob0 [this message]
2005-10-02 2:16 ` Henrik Nordstrom
2005-10-02 4:48 ` Robert Nichols
2005-10-02 10:18 ` Henrik Nordstrom
2005-10-02 13:38 ` Jozsef Kadlecsik
2005-10-02 14:44 ` Henrik Nordstrom
2005-10-02 20:23 ` Jozsef Kadlecsik
2005-10-02 21:08 ` Jozsef Kadlecsik
2005-10-03 8:30 ` Henrik Nordstrom
2005-10-03 8:24 ` Henrik Nordstrom
2005-10-02 19:16 ` /dev/rob0
2005-10-02 20:38 ` Jozsef Kadlecsik
2005-10-02 21:13 ` /dev/rob0
2005-10-03 11:48 ` Henrik Nordstrom
2005-10-03 11:44 ` Henrik Nordstrom
2005-10-04 13:19 ` Jozsef Kadlecsik
2005-10-02 18:11 ` Gioele Barabucci
2005-10-02 2:02 ` Henrik Nordstrom
2005-10-02 17:45 ` Gioele Barabucci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200510011907.27026.rob0@gmx.co.uk \
--to=rob0@gmx.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.