Doubts in netfilter limit match

Doubts in netfilter limit match

[Balaji Venkatamohan]

Hi,

I want to know how the limit match works. When we are trying to restrict
the number of packets sent by a particular IP to, say, 3 / hour, we use a
iptable rule like

	iptables -A INPUT -s 127.0.0.1 -m limit --limit-burst 5

I want to know how and where the count is stored. Are they checked for
previous entries using netfilter log? Also, Can you please tell me the .c
file in the netfilter source code which deals with handling various match
and target extensions. If you can send me a link to any tutorial that
deals with linux network programming then that will be great.

Thanks and Regards,
Balaji

Re: Doubts in netfilter limit match

[arulgobinath emmanuel]

Hi,
I'm not an expert in netfilter & new to this mailing-list also :) but
i had come across a situation to defend against DDOS using iptables.
I used recent module
"if the one host create more than 20 session during 100 seconds drop
the packet."

iptables -I FORWARD -p tcp --dport 80 -i bridge0 -m state --state NEW
-m recent --set
iptables -I FORWARD -p tcp --dport 80 -i bridge0 -m state --state NEW
-m recent --update --seconds 100 --hitcount 20 -j DROP

source code:
http://www.il.is.s.u-tokyo.ac.jp/lxr-xp/source/net/netfilter/xt_recent.c
(other netfilter code also available )

The hit file saved here :
/proc/net/xt_recent/DEFAULT

I hope this will help you .

Regards,
Gobinath.



On Tue, Oct 13, 2009 at 10:47 PM, Balaji Venkatamohan <bvenkat@ncsu.edu> wrote:
> Hi,
>
> I want to know how the limit match works. When we are trying to restrict
> the number of packets sent by a particular IP to, say, 3 / hour, we use a
> iptable rule like
>
>        iptables -A INPUT -s 127.0.0.1 -m limit --limit-burst 5
>
> I want to know how and where the count is stored. Are they checked for
> previous entries using netfilter log? Also, Can you please tell me the .c
> file in the netfilter source code which deals with handling various match
> and target extensions. If you can send me a link to any tutorial that
> deals with linux network programming then that will be great.
>
> Thanks and Regards,
> Balaji
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Doubts in netfilter limit match

[Jan Engelhardt]

iptables -A INPUT -s 127.0.0.1 -m limit --limit-burst 5

>I want to know how and where the count is stored. Are they checked for
>previous entries using netfilter log?

The count is stored within the private data associated with each
-m limit instance. Actually it's not a count but some bucket fill level 
value. See xt_limit.c for details.