Re: match limit with inverse [!]

Re: match limit with inverse [!]

[Cedric Blancher]

Le sam 23/11/2002 à 19:24, Jerome de Vivie a écrit :
> Your out of luck. The patch hasn't been applied because it a kernel
> header and could disturb older versions of netfilter. The patch is under
> http://perso.wanadoo.fr/jerome.de-vivie/ipt/

However, we can emulate limit inverse with a user chain. Suppose you
want to log and drop ICMPs that are over the 1/S limit :

	iptables -N inv_limit
	iptables -A FORWARD -p icmp -j inv_limit
	iptables -A inv_limit -m limit --limit 1/s -j RETURN \
		--log-prefix "Over limit ICMP "
	iptables -A inv_limit -j LOG
	iptables -A inv_limit -j DROP
	[...]

That's only a workaround...

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security expert  - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: match limit with inverse [!]

[Jerome de Vivie]

Your out of luck. The patch hasn't been applied because it a kernel
header and could disturb older versions of netfilter. The patch is under
http://perso.wanadoo.fr/jerome.de-vivie/ipt/

I hope that core maintainer could applied it now.

Regards,

j.

"Graham- Reg.CA" wrote:
> 
> Hello,
> 
> Has the match limit with inverse [!] patch ever been applied to any of the
> newer versions of iptables/netfilter?
> 
> I have a number of DoS attack-type situations and a few special situations
> (such as limiting outgoing user traffic) that would really benefit from
> this.
> 
> Putting the exclamation mark in on the command line (as the man pages
> suggest) just seems to be ignored - so we end up dropping all packets below
> that threshold, not above it.
> 
> Just wondering if limit ever had the inverse patch (or similar) added to it,
> or if I'm out of luck :(
> 
> Running Kernel 2.4.18 and a pretty recent version of iptables.
> 
> Thanks!
>  - Graham.

-- 
Jérôme de Vivie

Re: match limit with inverse [!]

[Graham - Reg.CA]

Thanks!  The new workaround is hardly as convenient, but we managed to work
out a workable set of rules in the end.  It would have saved us a lot of
confusion if the documentation (man iptables) of  didn't imply that the "!"
rule worked.

Still it would be nice to see the proper inverse work for a later release -
the "inverse" rule is hardly intuitive.

----- Original Message -----
From: "Cedric Blancher" <blancher@cartel-securite.fr>
To: "Jerome de Vivie" <jerome.de-vivie@wanadoo.fr>
Cc: "Graham- Reg.CA" <graham@reg.ca>; <netfilter-devel@lists.netfilter.org>
Sent: Saturday, November 23, 2002 9:53 AM
Subject: Re: match limit with inverse [!]


> Le sam 23/11/2002 à 19:24, Jerome de Vivie a écrit :
> > Your out of luck. The patch hasn't been applied because it a kernel
> > header and could disturb older versions of netfilter. The patch is under
> > http://perso.wanadoo.fr/jerome.de-vivie/ipt/
>
> However, we can emulate limit inverse with a user chain. Suppose you
> want to log and drop ICMPs that are over the 1/S limit :
>
> iptables -N inv_limit
> iptables -A FORWARD -p icmp -j inv_limit
> iptables -A inv_limit -m limit --limit 1/s -j RETURN \
> --log-prefix "Over limit ICMP "
> iptables -A inv_limit -j LOG
> iptables -A inv_limit -j DROP
> [...]
>
> That's only a workaround...
>
> --
> Cédric Blancher  <blancher@cartel-securite.fr>
> IT systems and networks security expert  - Cartel Sécurité
> Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
> PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE