netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mihamina Rakotomandimby <mihamina@gulfsat.mg>
To: netfilter@vger.kernel.org
Subject: connlimit and NEW state
Date: Thu, 10 Jun 2010 08:50:55 +0300	[thread overview]
Message-ID: <20100610085055.246b64f3@pbmiha.malagasy.com> (raw)

Manao ahoana, Hello, Bonjour,

I have a sofwtare, *like*  http://coova.org/ (access controller) but old
and proprietary, that allows people to connect to internet after
identifying through a web form.

If the user is not identified, when he tries to browse Internet, he is
redirected to the identification web form. Identification is posible
only via the web form.

The problem is there are some users trying to DOS by overloading the
redirection.

I setup a filtering bridge before the access controller in order to
limit trigerring the web redirection. I put a very basic rule:


  $ sudo brctl show
  bridge name       interfaces 
  br0               eth1 eth2

  #!/bin/bash
  CLIENTS1=eth1
  ACCESS_CONTROLLER=eth2
  iptables -A FORWARD -i br0 \
        -m physdev --physdev-in $CLIENTS1 \
        -p tcp -m state --state NEW -j connlimit
  [...]
  iptables -A connlimit  -m connlimit \
        --connlimit-above 15 -j DROP

This seems to limit the DOS, and the results are quite satisfying me.
I limit NEW connections to 15 parallell ones. Is it really "real time"?

I guess there is a time interval, but did not find how tiny it is (1
second? 1 millisecond?...)

Misaotra, Thanks, Merci.

-- 
       Architecte Informatique chez Blueline/Gulfsat:
    Administration Systeme, Recherche & Developpement
                                     +261 3456 000 19

                 reply	other threads:[~2010-06-10  5:50 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100610085055.246b64f3@pbmiha.malagasy.com \
    --to=mihamina@gulfsat.mg \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).