From: "J. Bakshi" <joydeep@infoservices.in>
To: Marek Kierdelewicz <marek@piasta.pl>
Cc: netfilter@vger.kernel.org
Subject: Re: Hot to design syn-flood protection based on ip ?
Date: Tue, 01 Sep 2009 14:20:22 +0530 [thread overview]
Message-ID: <4A9CE04E.6020005@infoservices.in> (raw)
In-Reply-To: <20090901101216.06ced847@catlap>
Marek Kierdelewicz wrote:
> Hello,
>
>
>> Thanks a lot, what about this ruleset ?
>> iptables -A INPUT -p tcp --syn -m hashlimit \
>> --hashlimit 1/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000
>> \ --hashlimit-mode srcip --hashlimit-name testlimit -j ACCEPT
>> iptables -A INPUT -j DROP
>> The concept here the blocked ip doing the syn-flood will be blacklisted
>> for 5 min and will be checked again after that interval.
>>
>
> I think it won't work as a blacklist just drop syns that are above
> 1/sec. Option htable-expire is not for blacklisting but for setting
> timeframe in which hashlimit is operating (eg. it won't work well if you
> set htable-expire to 300s and have hashlimit set to 20/hour). To obtain
> desired effect you can use recent module (great work by Stephen Frost
> by the way):
>
> iptables -A INPUT -m recent --name blacklist --rcheck --seconds 300 \
> -j DROP
> iptables -A INPUT -p tcp --syn -m hashlimit \
> --hashlimit 1/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000\
> --hashlimit-mode srcip --hashlimit-name testlimit -j ACCEPT
> iptables -A INPUT -m recent --name blacklist --set -j DROP
>
> You can find more information about recent here:
> - http://snowman.net/projects/ipt_recent/
> - and in manpage;
>
> Best regards,
> Marek
>
Dear Marek,
millions and millions of thanks to you. You have provided the solution
which I was searching since looong. a syn-flood protection along with
IP-blacklist ( psad style arrangement) is something which I love to have
in my servers. I think I can modify my DROP rules where ever required
to pass it through blacklist as
````````````````````
iptables -A INPUT -m recent --name blacklist --set -j DROP
``````````````````````
and place
`````````````
iptables -A INPUT -m recent --name blacklist --rcheck --seconds 300 -j DROP
```````````````
at the beginning of my firewall rule set.
A great learning for me.
Marek once again thanks a lot.
prev parent reply other threads:[~2009-09-01 8:50 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-27 12:36 Hot to design syn-flood protection based on ip ? J. Bakshi
2009-09-01 6:28 ` J. Bakshi
2009-09-01 6:58 ` Marek Kierdelewicz
2009-09-01 7:38 ` J. Bakshi
2009-09-01 8:12 ` Marek Kierdelewicz
2009-09-01 8:50 ` J. Bakshi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A9CE04E.6020005@infoservices.in \
--to=joydeep@infoservices.in \
--cc=marek@piasta.pl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox