-m limit strange behavior

All of lore.kernel.org
 help / color / mirror / Atom feed

* -m limit strange behavior
@ 2002-11-28 18:34 Federico Petronio
  0 siblings, 0 replies; 2+ messages in thread
From: Federico Petronio @ 2002-11-28 18:34 UTC (permalink / raw)
  To: netfilter

I just wrote some rules for iptables but I found that they don't work as 
I spected.

The strange behavior is that, if I use this config:

# Generated by iptables-save v1.2.5 on Fri Nov 22 15:40:19 2002
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT

#)fp SMTP Acepto conexciones desde todos los IPs
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute 
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j LOG
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute 
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j ACCEPT
-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j LOG
-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT

#)fp Pedidos a los DNS remotos deben pasar
-A INPUT -s 0/0 -m tcp -p tcp --sport 53 -d 0/0 -j ACCEPT
-A INPUT -s 0/0 -m udp -p udp --sport 53 -d 0/0 -j ACCEPT

#)fp Acepto SSH
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 22 -j ACCEPT

#)fp Rejecto el resto de los UDP y TCP con SYN y logueo
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j LOG
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j REJECT
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j LOG
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j REJECT
COMMIT


the limit does not work as it should (it restrict my SMTP connections 
before the limit is reach, it start blocking the second or third 
connection). But if I put the ssh line just before the SMTP one, all 
works fine (the burst work and the limit too). Do you think this is 
normal? Could be some bug? Do I miss something?

I try this several time just changing the line I told and the result was 
always the same. The config that works is this:

# Generated by iptables-save v1.2.5 on Fri Nov 22 15:40:19 2002
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT

#)fp Acepto SSH
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 22 -j ACCEPT

#)fp SMTP Acepto conexciones desde todos los IPs
#)fp Pruebas de limites
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute 
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j LOG --log-prefix FEDE
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute 
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j ACCEPT

-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j LOG 
--log-prefix FEDE2
-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT

#-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 25 -j LOG --log-prefix FEDE2
#-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT

#)fp Pedidos a los DNS remotos deben pasar
-A INPUT -s 0/0 -m tcp -p tcp --sport 53 -d 0/0 -j ACCEPT
-A INPUT -s 0/0 -m udp -p udp --sport 53 -d 0/0 -j ACCEPT

#)fp Rejecto el resto de los UDP y TCP con SYN y logueo
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j LOG
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j REJECT
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j LOG
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j REJECT
COMMIT

The tests was done in RH 7.1 on Vmware and RH7.2 un PIII. Both systems 
updates and with standard distro software.

If you need any extra information, let me know....

Thank you very much....
-- 
					Federico Petronio
					petronio@agro.uba.ar
					Linux User #129974

---
Unix IS user friendly. It's just selective about who its friends are.



^ permalink raw reply	[flat|nested] 2+ messages in thread

* -m limit strange behavior
@ 2002-11-29 13:52 Federico Petronio
  0 siblings, 0 replies; 2+ messages in thread
From: Federico Petronio @ 2002-11-29 13:52 UTC (permalink / raw)
  To: netfilter-devel

I just wrote some rules for iptables but I found that they don't work as 
I spected.

The strange behavior is that, if I use this config:

# Generated by iptables-save v1.2.5 on Fri Nov 22 15:40:19 2002
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT

#)fp SMTP Acepto conexciones desde todos los IPs
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute 
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j LOG
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute 
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j ACCEPT
-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j LOG
-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT

#)fp Pedidos a los DNS remotos deben pasar
-A INPUT -s 0/0 -m tcp -p tcp --sport 53 -d 0/0 -j ACCEPT
-A INPUT -s 0/0 -m udp -p udp --sport 53 -d 0/0 -j ACCEPT

#)fp Acepto SSH
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 22 -j ACCEPT

#)fp Rejecto el resto de los UDP y TCP con SYN y logueo
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j LOG
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j REJECT
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j LOG
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j REJECT
COMMIT


the limit does not work as it should (it restrict my SMTP connections 
before the limit is reach, it start blocking the second or third 
connection). But if I put the ssh line just before the SMTP one, all 
works fine (the burst work and the limit too). Do you think this is 
normal? Could be some bug? Do I miss something?

I try this several time just changing the line I told and the result was 
always the same. The config that works is this:

# Generated by iptables-save v1.2.5 on Fri Nov 22 15:40:19 2002
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT

#)fp Acepto SSH
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 22 -j ACCEPT

#)fp SMTP Acepto conexciones desde todos los IPs
#)fp Pruebas de limites
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute 
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j LOG --log-prefix FEDE
-A INPUT -s 168.96.156.99 -d 0/0 -m limit --limit 10/minute 
--limit-burst 5 -m tcp -p tcp --dport 25 --syn -j ACCEPT

-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j LOG 
--log-prefix FEDE2
-A INPUT -s ! 168.96.156.99 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT

#-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 25 -j LOG --log-prefix FEDE2
#-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --dport 25 -j ACCEPT

#)fp Pedidos a los DNS remotos deben pasar
-A INPUT -s 0/0 -m tcp -p tcp --sport 53 -d 0/0 -j ACCEPT
-A INPUT -s 0/0 -m udp -p udp --sport 53 -d 0/0 -j ACCEPT

#)fp Rejecto el resto de los UDP y TCP con SYN y logueo
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j LOG
-A INPUT -s 0/0 -d 0/0 -m tcp -p tcp --syn -j REJECT
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j LOG
-A INPUT -s 0/0 -d 0/0 -m udp -p udp -j REJECT
COMMIT

The tests was done in RH 7.1 on Vmware and RH7.2 un PIII. Both systems 
updates and with standard distro software.

If you need any extra information, let me know....

Thank you very much....
-- 
					Federico Petronio
					petronio@agro.uba.ar
					Linux User #129974

---
Unix IS user friendly. It's just selective about who its friends are.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2002-11-29 13:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-28 18:34 -m limit strange behavior Federico Petronio
  -- strict thread matches above, loose matches on Subject: below --
2002-11-29 13:52 Federico Petronio

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.