From: "J. Bakshi" <joydeep@infoservices.in>
To: Marek Kierdelewicz <marek@piasta.pl>
Cc: netfilter@vger.kernel.org
Subject: Re: Hot to design syn-flood protection based on ip ?
Date: Tue, 01 Sep 2009 14:20:22 +0530 [thread overview]
Message-ID: <4A9CE04E.6020005@infoservices.in> (raw)
In-Reply-To: <20090901101216.06ced847@catlap>
Marek Kierdelewicz wrote:
> Hello,
>
>
>> Thanks a lot, what about this ruleset ?
>> iptables -A INPUT -p tcp --syn -m hashlimit \
>> --hashlimit 1/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000
>> \ --hashlimit-mode srcip --hashlimit-name testlimit -j ACCEPT
>> iptables -A INPUT -j DROP
>> The concept here the blocked ip doing the syn-flood will be blacklisted
>> for 5 min and will be checked again after that interval.
>>
>
> I think it won't work as a blacklist just drop syns that are above
> 1/sec. Option htable-expire is not for blacklisting but for setting
> timeframe in which hashlimit is operating (eg. it won't work well if you
> set htable-expire to 300s and have hashlimit set to 20/hour). To obtain
> desired effect you can use recent module (great work by Stephen Frost
> by the way):
>
> iptables -A INPUT -m recent --name blacklist --rcheck --seconds 300 \
> -j DROP
> iptables -A INPUT -p tcp --syn -m hashlimit \
> --hashlimit 1/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000\
> --hashlimit-mode srcip --hashlimit-name testlimit -j ACCEPT
> iptables -A INPUT -m recent --name blacklist --set -j DROP
>
> You can find more information about recent here:
> - http://snowman.net/projects/ipt_recent/
> - and in manpage;
>
> Best regards,
> Marek
>
Dear Marek,
millions and millions of thanks to you. You have provided the solution
which I was searching since looong. a syn-flood protection along with
IP-blacklist ( psad style arrangement) is something which I love to have
in my servers. I think I can modify my DROP rules where ever required
to pass it through blacklist as
````````````````````
iptables -A INPUT -m recent --name blacklist --set -j DROP
``````````````````````
and place
`````````````
iptables -A INPUT -m recent --name blacklist --rcheck --seconds 300 -j DROP
```````````````
at the beginning of my firewall rule set.
A great learning for me.
Marek once again thanks a lot.
prev parent reply other threads:[~2009-09-01 8:50 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-27 12:36 Hot to design syn-flood protection based on ip ? J. Bakshi
2009-09-01 6:28 ` J. Bakshi
2009-09-01 6:58 ` Marek Kierdelewicz
2009-09-01 7:38 ` J. Bakshi
2009-09-01 8:12 ` Marek Kierdelewicz
2009-09-01 8:50 ` J. Bakshi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A9CE04E.6020005@infoservices.in \
--to=joydeep@infoservices.in \
--cc=marek@piasta.pl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.