Allow client only 1 connect per 20 seconds

All of lore.kernel.org
 help / color / mirror / Atom feed

* Allow client only 1 connect per 20 seconds
@ 2008-11-25 18:38 Adem
  2008-11-25 20:07 ` Adem
  2008-11-25 20:21 ` Matt Zagrabelny
  0 siblings, 2 replies; 5+ messages in thread
From: Adem @ 2008-11-25 18:38 UTC (permalink / raw)
  To: netfilter

How would you code this rule in iptables:

If anybody tries to do more than 1 connection to port 8191
within 20 seconds, regardless of the protocol, then DROP 
it and ignore any further connect attempts on that port
from that source for 20 seconds.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Allow client only 1 connect per 20 seconds
  2008-11-25 18:38 Allow client only 1 connect per 20 seconds Adem
@ 2008-11-25 20:07 ` Adem
  2008-11-25 20:20   ` Matt Zagrabelny
  2008-11-26 10:55   ` Paul Evans
  2008-11-25 20:21 ` Matt Zagrabelny
  1 sibling, 2 replies; 5+ messages in thread
From: Adem @ 2008-11-25 20:07 UTC (permalink / raw)
  To: netfilter

"Adem" wrote:
>
> How would you code this rule in iptables:
> 
> If anybody tries to do more than 1 connection to port 8191
> within 20 seconds, regardless of the protocol, then DROP 
> it and ignore any further connect attempts on that port
> from that source for 20 seconds.

The following should work, but it somehow doesn't work in iptables v1.4.1.1:
 ...
  # if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new connect attempts then DROP them!
  /sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20 -j DROP

  # accept client at port 8191 (all protocols) and register in WATCHLIST
  # BUG: if "-p XXX" is left out or if instead "-p all" is used then the rule gets eliminated!
  /sbin/iptables -A INPUT -p all --dport 8191 --match recent --name WATCHLIST --set -j DROP
 ...

It works only if "-p tcp" is specified.
Isn't that a bug in iptables?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Allow client only 1 connect per 20 seconds
  2008-11-25 20:07 ` Adem
@ 2008-11-25 20:20   ` Matt Zagrabelny
  2008-11-26 10:55   ` Paul Evans
  1 sibling, 0 replies; 5+ messages in thread
From: Matt Zagrabelny @ 2008-11-25 20:20 UTC (permalink / raw)
  To: Adem; +Cc: netfilter

[-- Attachment #1: Type: text/plain, Size: 1667 bytes --]

On Tue, 2008-11-25 at 21:07 +0100, Adem wrote:
> "Adem" wrote:
> >
> > How would you code this rule in iptables:
> > 
> > If anybody tries to do more than 1 connection to port 8191
> > within 20 seconds, regardless of the protocol, then DROP 
> > it and ignore any further connect attempts on that port
> > from that source for 20 seconds.
> 
> The following should work, but it somehow doesn't work in iptables v1.4.1.1:
>  ...
>   # if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new connect attempts then DROP them!
>   /sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20 -j DROP
> 
>   # accept client at port 8191 (all protocols) and register in WATCHLIST
>   # BUG: if "-p XXX" is left out or if instead "-p all" is used then the rule gets eliminated!
>   /sbin/iptables -A INPUT -p all --dport 8191 --match recent --name WATCHLIST --set -j DROP
>  ...
> 
> It works only if "-p tcp" is specified.

From the man page:

These extensions can be used if ‘--protocol tcp’ is specified.
These extensions can be used if ‘--protocol udp’ is specified.

Hence, these extensions cannot be used with '--protocol all'.
So, it looks like you will need to double the number of rules you have.

> Isn't that a bug in iptables?

Doesn't look like it.

-- 
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Allow client only 1 connect per 20 seconds
  2008-11-25 18:38 Allow client only 1 connect per 20 seconds Adem
  2008-11-25 20:07 ` Adem
@ 2008-11-25 20:21 ` Matt Zagrabelny
  1 sibling, 0 replies; 5+ messages in thread
From: Matt Zagrabelny @ 2008-11-25 20:21 UTC (permalink / raw)
  To: Adem; +Cc: netfilter

[-- Attachment #1: Type: text/plain, Size: 1069 bytes --]

On Tue, 2008-11-25 at 19:38 +0100, Adem wrote:
> How would you code this rule in iptables:
> 
> If anybody tries to do more than 1 connection to port 8191
> within 20 seconds, regardless of the protocol, then DROP 
> it and ignore any further connect attempts on that port
> from that source for 20 seconds.

NOTE: this is completely untested:

iptables -A INPUT -p tcp --dport 8191 --match state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 8191 --match state --state NEW --match
recent --name THROTTLE --set
iptables -A INPUT -p tcp --dport 8191 --match state --state NEW --match
recent --name THROTTLE --update --seconds 20 --hitcount 2 --rttl -j DROP

Same rules for '-p udp'.

Cheers,

-- 
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Allow client only 1 connect per 20 seconds
  2008-11-25 20:07 ` Adem
  2008-11-25 20:20   ` Matt Zagrabelny
@ 2008-11-26 10:55   ` Paul Evans
  1 sibling, 0 replies; 5+ messages in thread
From: Paul Evans @ 2008-11-26 10:55 UTC (permalink / raw)
  To: Adem; +Cc: netfilter

[-- Attachment #1: Type: text/plain, Size: 493 bytes --]

On Tue, 25 Nov 2008 21:07:13 +0100
"Adem" <for-gmane@alicewho.com> wrote:

> It works only if "-p tcp" is specified.
> Isn't that a bug in iptables?

Port numbers only make sense in some higher-level protocols built on
top of IP, such as TCP and UDP. What would the "port number" be of an
ICMP packet, or an AH or ESP IPsec header, or any of these other
ideas..?

-- 
Paul Evans <paul@mxtelecom.com>
Tel: +44 (0) 845 666 7778
Fax: +44 (0) 870 163 4694
http://www.mxtelecom.com

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2008-11-26 10:55 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-25 18:38 Allow client only 1 connect per 20 seconds Adem
2008-11-25 20:07 ` Adem
2008-11-25 20:20   ` Matt Zagrabelny
2008-11-26 10:55   ` Paul Evans
2008-11-25 20:21 ` Matt Zagrabelny

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.