question on rating SYN packets

question on rating SYN packets

[Leonardo Rodrigues Magalhães]

    Hello Guys,

    I'm trying to modify my script firewalls for not allowing a LOT of
connections being established on a specific port in a very small period of
time. I know I could easily do this using a rule like:

iptables -A INPUT -p tcp --dport XX -m state --state NEW -m limit --limit
Y/s -j ACCEPT


    Altough, with this rule, I would be globally limiting connections for
that specific port in Y connections per second. I would like to know if it's
possible building a rule that would allow, for example, 1 SYN packet per
second PER host. In this case, I wouldnt have a 'global' limit of SYN
packets. In fact, I would have a SYN limitation for EACH host.

    Question: is it possible for building a rule like this ? Is there any
filter on patch-o-matic tree that would allow this kind of rule ?


    Sincerily,
    Leonardo Rodrigues
    Soluções IP

Re: question on rating SYN packets

[uniplex]

Leonardo Rodrigues Magalhães wrote:
>     Hello Guys,
> 
>     I'm trying to modify my script firewalls for not allowing a LOT of
> connections being established on a specific port in a very small period of
> time. I know I could easily do this using a rule like:
> 
> iptables -A INPUT -p tcp --dport XX -m state --state NEW -m limit --limit
> Y/s -j ACCEPT
> 
> 
>     Altough, with this rule, I would be globally limiting connections for
> that specific port in Y connections per second. I would like to know if it's
> possible building a rule that would allow, for example, 1 SYN packet per
> second PER host. In this case, I wouldnt have a 'global' limit of SYN
> packets. In fact, I would have a SYN limitation for EACH host.
> 
>     Question: is it possible for building a rule like this ? Is there any
> filter on patch-o-matic tree that would allow this kind of rule ?
> 
> 
>     Sincerily,
>     Leonardo Rodrigues
>     Soluções IP
> 
> 
> 
> 

this doesn't do rate limiting but it does limit the number of parallel 
connections from any one IP address. This example limits parallel 
connections to 10 per IP.

iptables -A INPUT -i eth0 -p tcp --syn --dport XX -m iplimit 
-iplimit-above 10 -j DROP

Re: question on rating SYN packets

[Leonardo Rodrigues Magalhães]

    I already do limit of parallel connections. But I'd also like to limit
the number of NEW connections from EACH host.

    Let's suppose I'll allow 10 parallel connections per host per port.
That's easy with iplimit. But I'd also like to limit 1 new connection per
second. So a single host wouldnt establish 10 new connections in 1 second,
for example. I'd like to allow 10 connections in parallel ( iplimit does
this ) and 1 new connection per second PER host ( this I dont know how to
do ).

    Is this possible, somehow, with iptables ?

    Sincerily,
    Leonardo Rodrigues

----- Original Message -----
From: "uniplex" <uniplex@maximum-linux.net>
To: "Leonardo Rodrigues Magalhães" <leolistas@solucoesip.net>
Cc: "netfilter ML" <netfilter@lists.samba.org>
Sent: Friday, February 07, 2003 4:48 PM
Subject: Re: question on rating SYN packets


Leonardo Rodrigues Magalhães wrote:
>     Hello Guys,
>
>     I'm trying to modify my script firewalls for not allowing a LOT of
> connections being established on a specific port in a very small period of
> time. I know I could easily do this using a rule like:
>
> iptables -A INPUT -p tcp --dport XX -m state --state NEW -m limit --limit
> Y/s -j ACCEPT
>     Altough, with this rule, I would be globally limiting connections for
> that specific port in Y connections per second. I would like to know if
it's
> possible building a rule that would allow, for example, 1 SYN packet per
> second PER host. In this case, I wouldnt have a 'global' limit of SYN
> packets. In fact, I would have a SYN limitation for EACH host.
>
>     Question: is it possible for building a rule like this ? Is there any
> filter on patch-o-matic tree that would allow this kind of rule ?
>
>

this doesn't do rate limiting but it does limit the number of parallel
connections from any one IP address. This example limits parallel
connections to 10 per IP.

iptables -A INPUT -i eth0 -p tcp --syn --dport XX -m iplimit
-iplimit-above 10 -j DROP

Re: question on rating SYN packets

[uniplex]

Leonardo Rodrigues Magalhães wrote:
>     I already do limit of parallel connections. But I'd also like to limit
> the number of NEW connections from EACH host.
> 
>     Let's suppose I'll allow 10 parallel connections per host per port.
> That's easy with iplimit. But I'd also like to limit 1 new connection per
> second. So a single host wouldnt establish 10 new connections in 1 second,
> for example. I'd like to allow 10 connections in parallel ( iplimit does
> this ) and 1 new connection per second PER host ( this I dont know how to
> do ).
> 
>     Is this possible, somehow, with iptables ?
> 
>     Sincerily,
>     Leonardo Rodrigues

iptables -N synlimit
iptables -A INPUT -i eth0 -p tcp --dport 80 -j synlimit
iptables -A synlimit -m recent --rcheck --seconds 1 --name onesec -j DROP
iptables -A synlimit -m iplimit --iplimit-above 10 -j DROP
iptables -A synlimit -m recent --update --name onesec -j ACCEPT

I don't know if this would work, but it's my best guess.. gl.