From: Federico Petronio <petronio@agro.uba.ar>
To: netfilter@lists.netfilter.org
Subject: -m limit strange behavior
Date: Thu, 28 Nov 2002 15:34:56 -0300 [thread overview]
Message-ID: <3DE661D0.50208@agro.uba.ar> (raw)
I just wrote some rules for iptables but I found that they don't work as
I spected.
The strange behavior is that, if I use this config:
# Generated by iptables-save v1.2.5 on Fri Nov 22 15:40:19 2002
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT
#)fp SMTP Acepto conexciones desde todos los IPs
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j LOG
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j ACCEPT
-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j LOG
-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT
#)fp Pedidos a los DNS remotos deben pasar
-A INPUT -s 0/0 -m tcp -p tcp --sport 53 -d 0/0 -j ACCEPT
-A INPUT -s 0/0 -m udp -p udp --sport 53 -d 0/0 -j ACCEPT
#)fp Acepto SSH
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 22 -j ACCEPT
#)fp Rejecto el resto de los UDP y TCP con SYN y logueo
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j LOG
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j REJECT
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j LOG
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j REJECT
COMMIT
the limit does not work as it should (it restrict my SMTP connections
before the limit is reach, it start blocking the second or third
connection). But if I put the ssh line just before the SMTP one, all
works fine (the burst work and the limit too). Do you think this is
normal? Could be some bug? Do I miss something?
I try this several time just changing the line I told and the result was
always the same. The config that works is this:
# Generated by iptables-save v1.2.5 on Fri Nov 22 15:40:19 2002
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT
#)fp Acepto SSH
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 22 -j ACCEPT
#)fp SMTP Acepto conexciones desde todos los IPs
#)fp Pruebas de limites
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j LOG --log-prefix FEDE
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j ACCEPT
-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j LOG
--log-prefix FEDE2
-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT
#-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 25 -j LOG --log-prefix FEDE2
#-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT
#)fp Pedidos a los DNS remotos deben pasar
-A INPUT -s 0/0 -m tcp -p tcp --sport 53 -d 0/0 -j ACCEPT
-A INPUT -s 0/0 -m udp -p udp --sport 53 -d 0/0 -j ACCEPT
#)fp Rejecto el resto de los UDP y TCP con SYN y logueo
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j LOG
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j REJECT
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j LOG
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j REJECT
COMMIT
The tests was done in RH 7.1 on Vmware and RH7.2 un PIII. Both systems
updates and with standard distro software.
If you need any extra information, let me know....
Thank you very much....
--
Federico Petronio
petronio@agro.uba.ar
Linux User #129974
---
Unix IS user friendly. It's just selective about who its friends are.
next reply other threads:[~2002-11-28 18:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-28 18:34 Federico Petronio [this message]
-- strict thread matches above, loose matches on Subject: below --
2002-11-29 13:52 -m limit strange behavior Federico Petronio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3DE661D0.50208@agro.uba.ar \
--to=petronio@agro.uba.ar \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.