Saturday, April 25, 2009

Re: recent/hitcount broken in Lenny?

Hello,

Guillaume Tamboise a écrit :
>
> I used to rate limit the number of incoming HTTP connections in Etch,
> using these iptables statements:
>
> iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
> recent --set --name HTTP
>
> iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
> recent --update --seconds 2 --hitcount 50 --name HTTP -j LOG
> --log-prefix "HTTP_DoS "
>
> iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
> recent --update --seconds 2 --hitcount 50 --name HTTP -j DROP
>
> iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
>
> The second statement gives this in Lenny:
>
> iptables: Invalid argument
>
> The only way to get iptables to accept this statement is to remove the
> hitcount.

From ChangeLog-2.6.25 :

> [NETFILTER]: ipt_recent: sanity check hit count
>
> If a rule using ipt_recent is created with a hit count greater than
> ip_pkt_list_tot, the rule will never match as it cannot keep track
> of enough timestamps. This patch makes ipt_recent refuse to create such
> rules.
>
> With ip_pkt_list_tot's default value of 20, the following can be used
> to reproduce the problem.
>
> nc -u -l 0.0.0.0 1234 &
> for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done
>
> This limits it to 20 packets:
> iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
> --rsource
> iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
> 60 --hitcount 20 --name test --rsource -j DROP
>
> While this is unlimited:
> iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
> --rsource
> iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
> 60 --hitcount 21 --name test --rsource -j DROP
>
> With the patch the second rule-set will throw an EINVAL.

Maybe this is the explanation if you use a kernel version 2.6.25 or
above, such as a 2.6.26 kernel from lenny. You may try to increase the
packet list length to at least 50 using the parameter "ip_pkt_list_tot"
of the module ipt_recent (note that this module is renamed xt_recent in
kernel version 2.6.28 and above, but the "ipt_recent" alias should be
kept). IIRC this can be done by adding an "options" statement in
/etc/modprobe.conf or /etc/modprobe.d/ (I haven't been doing that for
too much time).

options ipt_recent ip_pkt_list_tot=50


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment