IPtables rate limiting question

IPtables rate limiting question

[Francisco Agostinho]

Hello, I'm trying to implement a rate limiting for my machine using
iptables. The use case is to do 2 things:

1) block traffic from the same ip+port combination for 15 minutes if
it gets more than 10 hits per minute.

2) block traffic from the same ip for 30 minutes if it gets more than
80 hits per minute.

For this I'm currently using these rules:

1) -A PREROUTING -p tcp -m tcp -m state --state NEW -m hashlimit
--hashlimit-above 10/minute --hashlimit-burst 10 --hashlimit-mode
srcip,dstport --hashlimit-name test10 --hashlimit-htable-expire 900000
-j ACCEPT

2) -A PREROUTING -p tcp -m tcp -m state --state NEW -m hashlimit
--hashlimit-above 80/minute --hashlimit-burst 80 --hashlimit-mode
srcip --hashlimit-name test80 --hashlimit-htable-expire 1800000 -j
ACCEPT

But it's not quite working, as soon as it gets on the list, if you get
another hit the timer gets reset to the default expire time and it
gets blocked on the first try even if after the expire. So are there
any suggestions on how to achieve the use case or what i'm doing
wrong?

Thank you,
Francisco

Re: IPtables rate limiting question

[Kerin Millar]

On Fri, 25 Oct 2024, at 4:19 PM, Francisco Agostinho wrote:
> Hello, I'm trying to implement a rate limiting for my machine using
> iptables. The use case is to do 2 things:
>
> 1) block traffic from the same ip+port combination for 15 minutes if
> it gets more than 10 hits per minute.
>
> 2) block traffic from the same ip for 30 minutes if it gets more than
> 80 hits per minute.
>
> For this I'm currently using these rules:
>
> 1) -A PREROUTING -p tcp -m tcp -m state --state NEW -m hashlimit
> --hashlimit-above 10/minute --hashlimit-burst 10 --hashlimit-mode
> srcip,dstport --hashlimit-name test10 --hashlimit-htable-expire 900000
> -j ACCEPT
>
> 2) -A PREROUTING -p tcp -m tcp -m state --state NEW -m hashlimit
> --hashlimit-above 80/minute --hashlimit-burst 80 --hashlimit-mode
> srcip --hashlimit-name test80 --hashlimit-htable-expire 1800000 -j
> ACCEPT

Why is --hashlimit-above being combined with a verdict of ACCEPT?

>
> But it's not quite working, as soon as it gets on the list, if you get
> another hit the timer gets reset to the default expire time and it
> gets blocked on the first try even if after the expire. So are there
> any suggestions on how to achieve the use case or what i'm doing
> wrong?

I would suggest disentangling all three of the following concerns:

- determining whether a rate limit has been exceeded
- adding to a set of banned addresses (with attached timeout values)
- consulting the set to determine whether a given address has been banned

To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format.

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:limitban - [0:0]
-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
-A limitban -m set --match-set banned src -j DROP
-A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900
-A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src
-A limitban -m set --match-set banned src -j DROP
COMMIT

For this ruleset to be loadable, you'll first need to create the ipset that it references.

# ipset create banned hash:ip timeout 1800

-- 
Kerin Millar

Re: IPtables rate limiting question

[Slavko]

Dňa 25. októbra 2024 18:12:56 UTC používateľ Kerin Millar <kfm@plushkava.net> napísal:

>To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format.
>
>*raw
>:PREROUTING ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>:limitban - [0:0]
>-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban

Please will conntrack really works in raw table? I live in that raw table
happens before conntrack...

regards


-- 
Slavko
https://www.slavino.sk/

Re: IPtables rate limiting question

[Kerin Millar]

On Fri, 25 Oct 2024, at 9:13 PM, Slavko wrote:
> Dňa 25. októbra 2024 18:12:56 UTC používateľ Kerin Millar 
> <kfm@plushkava.net> napísal:
>
>>To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format.
>>
>>*raw
>>:PREROUTING ACCEPT [0:0]
>>:OUTPUT ACCEPT [0:0]
>>:limitban - [0:0]
>>-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
>
> Please will conntrack really works in raw table? I live in that raw table
> happens before conntrack...

Probably not. The poster did not say which table they are using, nor explain why they were matching on the NEW state to begin with. It seems probable that "hit" was meant as an attempt to open a TCP connection and would hope that "PREROUTING" was a reference to the raw table. Based on that, let's say that it should instead be -p tcp --syn.

-- 
Kerin Millar

Re: IPtables rate limiting question

[Reindl Harald]

Am 25.10.24 um 23:37 schrieb Kerin Millar:
> On Fri, 25 Oct 2024, at 9:13 PM, Slavko wrote:
>> Dňa 25. októbra 2024 18:12:56 UTC používateľ Kerin Millar
>> <kfm@plushkava.net> napísal:
>>
>>> To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format.
>>>
>>> *raw
>>> :PREROUTING ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>> :limitban - [0:0]
>>> -A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
>>
>> Please will conntrack really works in raw table? I live in that raw table
>> happens before conntrack...
> 
> Probably not

for sure not

The poster did not say which table they are using

he did! >>> *raw

what makes sense in the context of ipset is that the DROP rules are in 
the RAW table because at this point the decision is already made and 
there is no vaild reason to bother conntrack

so a first step you get your ratelimit with ipsets / timeouts done and 
finally place the drop rule which hits when the IP is in the ipset into 
the raw-table

the greatest benefit of ipsets: the are working cross tables

"--ctstate NEW" is completly irrelevant in the context auf ratelimits 
because your ruleset shoud always start with ACCEPT est/related und DROP 
invalid and so everything below can be only a new connection by definition

Re: IPtables rate limiting question

[Kerin Millar]

On Sat, 26 Oct 2024, at 11:23 AM, Reindl Harald wrote:
> Am 25.10.24 um 23:37 schrieb Kerin Millar:
>> On Fri, 25 Oct 2024, at 9:13 PM, Slavko wrote:
>>> Dňa 25. októbra 2024 18:12:56 UTC používateľ Kerin Millar
>>> <kfm@plushkava.net> napísal:
>>>
>>>> To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format.
>>>>
>>>> *raw
>>>> :PREROUTING ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [0:0]
>>>> :limitban - [0:0]
>>>> -A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
>>>
>>> Please will conntrack really works in raw table? I live in that raw table
>>> happens before conntrack...
>> 
>> Probably not
>
> for sure not
>
> The poster did not say which table they are using
>
> he did! >>> *raw

He (Francisco) certainly did not. It was I that wrote "*raw" and to whom Slavko was replying.

-- 
Kerin Millar

Re: IPtables rate limiting question

[Reindl Harald]

Am 26.10.24 um 13:05 schrieb Kerin Millar:
> On Sat, 26 Oct 2024, at 11:23 AM, Reindl Harald wrote:
>> Am 25.10.24 um 23:37 schrieb Kerin Millar:
>>> On Fri, 25 Oct 2024, at 9:13 PM, Slavko wrote:
>>>> Dňa 25. októbra 2024 18:12:56 UTC používateľ Kerin Millar
>>>> <kfm@plushkava.net> napísal:
>>>>
>>>>> To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format.
>>>>>
>>>>> *raw
>>>>> :PREROUTING ACCEPT [0:0]
>>>>> :OUTPUT ACCEPT [0:0]
>>>>> :limitban - [0:0]
>>>>> -A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
>>>>
>>>> Please will conntrack really works in raw table? I live in that raw table
>>>> happens before conntrack...
>>>
>>> Probably not
>>
>> for sure not
>>
>> The poster did not say which table they are using
>>
>> he did! >>> *raw
> 
> He (Francisco) certainly did not. It was I that wrote "*raw" and to whom Slavko was replying
anyways - "--ctstate" is nonsense in RAW and everybody should know that
the whole point of RAW ist to bypass conntrack

the whole conntrack stuff is misplaced in case of rate limiting - at 
that point all packets which belog to existing connections are already 
accepted by a conntrack rule at the begin

you fill your ipsets after conntrack did it's job and the DROP rule 
don't need any ctstate - after the decision this IP has to be banned was 
made it don't matter which state a packet has

hence THIS rule belongs to RAW to bypass conntrack

Re: IPtables rate limiting question

[Francisco Agostinho]

>*raw
>:PREROUTING ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>:limitban - [0:0]
>-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
>-A limitban -m set --match-set banned src -j DROP
>-A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900
>-A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src
>-A limitban -m set --match-set banned src -j DROP
>COMMIT

>For this ruleset to be loadable, you'll first need to create the ipset that it references.

># ipset create banned hash:ip timeout 1800

Regarding not mentioning the tables, I was using *nat table for the
PREROUTING and before tried to use the DROP rules on the *filter
table, which was not dropping the traffic.

Ok so the ipset suggestion worked! The current setup that worked is
putting the DROP rules on the *raw table PREROUTING and the SET rules
on the *nat table PREROUTING. Also created 1 ipset for each use case.

Thank you very much for the help!
On Thu, Oct 31, 2024 at 11:54 AM Francisco Agostinho
<f.agostinho123@gmail.com> wrote:
>
> >*raw
> >:PREROUTING ACCEPT [0:0]
> >:OUTPUT ACCEPT [0:0]
> >:limitban - [0:0]
> >-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
> >-A limitban -m set --match-set banned src -j DROP
> >-A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900
> >-A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src
> >-A limitban -m set --match-set banned src -j DROP
> >COMMIT
>
> >For this ruleset to be loadable, you'll first need to create the ipset that it references.
>
> ># ipset create banned hash:ip timeout 1800
>
> Regarding not mentioning the tables, I was using *nat table for the
> PREROUTING and before tried to use the DROP rules on the *filter
> table, which was not dropping the traffic.
>
> Ok so the ipset suggestion worked! The current setup that worked is
> putting the DROP rules on the *raw table PREROUTING and the SET rules
> on the *nat table PREROUTING. Also created 1 ipset for each use case.
>
> Thank you very much for the help!
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> Sem vírus.www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> On Fri, Oct 25, 2024 at 7:14 PM Kerin Millar <kfm@plushkava.net> wrote:
> >
> > On Fri, 25 Oct 2024, at 4:19 PM, Francisco Agostinho wrote:
> > > Hello, I'm trying to implement a rate limiting for my machine using
> > > iptables. The use case is to do 2 things:
> > >
> > > 1) block traffic from the same ip+port combination for 15 minutes if
> > > it gets more than 10 hits per minute.
> > >
> > > 2) block traffic from the same ip for 30 minutes if it gets more than
> > > 80 hits per minute.
> > >
> > > For this I'm currently using these rules:
> > >
> > > 1) -A PREROUTING -p tcp -m tcp -m state --state NEW -m hashlimit
> > > --hashlimit-above 10/minute --hashlimit-burst 10 --hashlimit-mode
> > > srcip,dstport --hashlimit-name test10 --hashlimit-htable-expire 900000
> > > -j ACCEPT
> > >
> > > 2) -A PREROUTING -p tcp -m tcp -m state --state NEW -m hashlimit
> > > --hashlimit-above 80/minute --hashlimit-burst 80 --hashlimit-mode
> > > srcip --hashlimit-name test80 --hashlimit-htable-expire 1800000 -j
> > > ACCEPT
> >
> > Why is --hashlimit-above being combined with a verdict of ACCEPT?
> >
> > >
> > > But it's not quite working, as soon as it gets on the list, if you get
> > > another hit the timer gets reset to the default expire time and it
> > > gets blocked on the first try even if after the expire. So are there
> > > any suggestions on how to achieve the use case or what i'm doing
> > > wrong?
> >
> > I would suggest disentangling all three of the following concerns:
> >
> > - determining whether a rate limit has been exceeded
> > - adding to a set of banned addresses (with attached timeout values)
> > - consulting the set to determine whether a given address has been banned
> >
> > To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format.
> >
> > *raw
> > :PREROUTING ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > :limitban - [0:0]
> > -A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
> > -A limitban -m set --match-set banned src -j DROP
> > -A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900
> > -A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src
> > -A limitban -m set --match-set banned src -j DROP
> > COMMIT
> >
> > For this ruleset to be loadable, you'll first need to create the ipset that it references.
> >
> > # ipset create banned hash:ip timeout 1800
> >
> > --
> > Kerin Millar

Re: IPtables rate limiting question

[Reindl Harald]

Am 31.10.24 um 13:15 schrieb Francisco Agostinho:
> Ok so the ipset suggestion worked! The current setup that worked is
> putting the DROP rules on the *raw table PREROUTING and the SET rules
> on the *nat table PREROUTING. Also created 1 ipset for each use case
you want it *before* NAT in "mangle" in case of a NAT-router
you rate limit the source as it is with minimzed overhead

https://natnat1.medium.com/iptables-b9ce0602253f

Re: IPtables rate limiting question

[Francisco Agostinho]

>*raw
>:PREROUTING ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>:limitban - [0:0]
>-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban
>-A limitban -m set --match-set banned src -j DROP
>-A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900
>-A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src
>-A limitban -m set --match-set banned src -j DROP
>COMMIT

>For this ruleset to be loadable, you'll first need to create the ipset that it references.

># ipset create banned hash:ip timeout 1800

Regarding not mentioning the tables, I was using *nat table for the
PREROUTING and before tried to use the DROP rules on the *filter
table, which was not dropping the traffic.

Ok so the ipset suggestion worked! The current setup that worked is
putting the DROP rules on the *raw table PREROUTING and the SET rules
on the *nat table PREROUTING. Also created 1 ipset for each use case.

Thank you very much for the help!

<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Sem vírus.www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>