Re: How to stop the flood?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: How to stop the flood?
Date: Sun, 01 May 2005 14:19:24 -0500	[thread overview]
Message-ID: <42752BBC.8000203@riverviewtech.net> (raw)
In-Reply-To: <42742A0C.5040808@danbbs.dk>

> If clients can change IP's on the fly, they can change MAC's all the 
> same. Of cause, arranging DHCP on a per-client-based-on-MAC scheme will 
> catch this behavior (which you more or less pointed out).

Rather than DROPing based on a known IP/MAC pair you could accept based on IP/MAC pair thus if the client did change things on you they would not be able to get to the internet.  This is normally how this works.  About the only caveat that I can see for this would be if a client switched NICs with another client.

> So you chose IMAP merely as an example.. Meaning you'd do similarly for 
> other services if interest, right?  Good idea, tnx.

Exactly

iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 20
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 20
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 21
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 21
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 22
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 22
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 23
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 23
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 25
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 25
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 53
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 53
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p udp --dport 53
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p udp --sport 53
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 80
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 80
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 110
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 110
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 119
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 119
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 143
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 143
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 443
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 443

iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 20
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 20
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 21
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 21
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 22
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 22
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 23
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 23
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 25
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 25
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 53
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 53
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p udp --dport 53
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p udp --sport 53
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 80
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 80
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 110
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 110
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 119
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 119
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 143
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 143
iptables -t filter -A FORWARD -i $Client_2 -s $Client_2_Subnet -p tcp --dport 443
iptables -t filter -A FORWARD -o $Client_2 -d $Client_2_Subnet -p tcp --sport 443

etc.  These rules will have their counter incremented for every packet that passes to or from one of your client's interfaces and subnets.  This way you will have an idea how much traffic of each type they generate.

If you were really curious you could do something like the following too:

iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --sport 0:1023 --dport 80
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 80 --dport 0:1023
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --sport 1024:65535 --dport 80
iptables -t filter -A FORWARD -o $Client_1 -d $Client_1_Subnet -p tcp --sport 80 --dport 1024:65535

This will tell you the amount of traffic for each type originating from the non ephemeral range and how much traffic is originating from the ephemeral range.  IMHO *MOST* if not all of the client web traffic to web servers should originate from ephemeral ports.



Grant. . . .

next prev parent reply	other threads:[~2005-05-01 19:19 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-28 13:35 How to stop the flood? Rikunj
2005-04-28 14:16 ` Jason Opperisano
2005-04-28 14:47   ` Rikunj
2005-04-28 15:47     ` Rob Sterenborg
2005-04-28 15:54       ` Dwayne Hottinger
2005-04-28 17:10         ` Rikunj
2005-04-29  3:12           ` Taylor, Grant
2005-04-29 13:17             ` Rikunj
2005-05-01  0:59             ` Mogens Valentin
2005-05-01 19:19               ` Taylor, Grant [this message]
2005-04-28 21:50         ` R. DuFresne
2005-04-28 21:58           ` wkc
2005-04-28 22:04             ` Dwayne Hottinger
2005-04-28 17:54       ` Rikunj
2005-04-28 16:35     ` Jason Opperisano
2005-04-28 20:16     ` Taylor, Grant

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42752BBC.8000203@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.