From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@lists.netfilter.org
Subject: Re: Aren't these connections ESTABILISHED? (2nd take)
Date: Sat, 1 Oct 2005 19:07:26 -0500 [thread overview]
Message-ID: <200510011907.27026.rob0@gmx.co.uk> (raw)
In-Reply-To: <dhmn38$hsk$1@sea.gmane.org>
On Saturday 2005-October-01 14:12, Gioele Barabucci wrote:
> I spend the last weeks doing experiments with iptables but still I
> have problems with connections that should be ESTABILISHED but are
You have it spelled correctly in the script, but perhaps you should
check again. ESTABLISHED != ESTABILISHED. I am not sure if iptables
would complain about that or not, but it's always safest to spell
things correctly. :)
> not.
>
> Postfix does some DNS lookups on the DNS server (69.93.28.254). After
FWIW: my Postfices do tons of DNS lookups, so much so, that I would
never run without a caching nameserver on the same machine.
> a bit, iptables forget that the connection is ESTABILISHED and DROPs
> the reply.
When that happens you might want to check the conntrack table. Perhaps
even script something to run from -j ULOG when a packet is dropped.
Is anything not working? I have a feeling these are just occasional
strays that ip_conntrack isn't catching for some reason.
> My logs are full of dropped packets like these
> 05:32:33 69.93.28.254 53 myIP 2755 UDP
You *are* getting these from netfilter logs, correct? You have just
removed all the superfluous information for readability?
> Here is my ruleset (BTW, I did not test much the "limit SMTP trafic",
> do you think that it is correct?)
snip
> echo "Limit smtp traffic"
> iptables -I INPUT -p tcp --dport smtp -i eth0 -m state --state NEW -m
> recent --set
> iptables -I INPUT -p tcp --dport smtp -i eth0 -m state --state NEW -m
> recent --update --seconds 30 --hitcount 4 -j DROP
I have not yet used -m recent. Without RTFM it looks like you are
wanting to limit to limit any IP to 4 new connections per 30 second
period. If the problem is dictionary attacks be advised that this might
not help at all. The attacker could be attempting as many as
smtpd_recipient_limit (default 1000) usernames in a single session.
Also, I'm not sure it would do anything at all, because there cannot be
that many --state NEW connections in such a short time. Conntrack would
call those "RELATED". I think you should try --syn, not --state NEW.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
next prev parent reply other threads:[~2005-10-02 0:07 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-01 19:12 Aren't these connections ESTABILISHED? (2nd take) Gioele Barabucci
2005-10-02 0:07 ` /dev/rob0 [this message]
2005-10-02 2:16 ` Henrik Nordstrom
2005-10-02 4:48 ` Robert Nichols
2005-10-02 10:18 ` Henrik Nordstrom
2005-10-02 13:38 ` Jozsef Kadlecsik
2005-10-02 14:44 ` Henrik Nordstrom
2005-10-02 20:23 ` Jozsef Kadlecsik
2005-10-02 21:08 ` Jozsef Kadlecsik
2005-10-03 8:30 ` Henrik Nordstrom
2005-10-03 8:24 ` Henrik Nordstrom
2005-10-02 19:16 ` /dev/rob0
2005-10-02 20:38 ` Jozsef Kadlecsik
2005-10-02 21:13 ` /dev/rob0
2005-10-03 11:48 ` Henrik Nordstrom
2005-10-03 11:44 ` Henrik Nordstrom
2005-10-04 13:19 ` Jozsef Kadlecsik
2005-10-02 18:11 ` Gioele Barabucci
2005-10-02 2:02 ` Henrik Nordstrom
2005-10-02 17:45 ` Gioele Barabucci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200510011907.27026.rob0@gmx.co.uk \
--to=rob0@gmx.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox