• Max number of iptable rules?

    From Sandman@1:0/0 to All on Fri May 24 21:45:39 2013
    The man page doesn't seem to say. I saw something that suggested that
    it may have maxed out at about 5000 rules, could that be true?

    I'm adding them as I find them in the log files, and there are
    thousands of hosts...

    --
    Sandman[.net]

    --- MBSE BBS v0.95.15 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From Richard Kettlewell@110:300/1.1 to All on Sat May 25 09:56:02 2013
    Sandman <mr@sandman.net> writes:
    The man page doesn't seem to say. I saw something that suggested that
    it may have maxed out at about 5000 rules, could that be true?

    Don’t know, but a linear search for every packet isn’t going to be very efficient...

    I'm adding them as I find them in the log files, and there are
    thousands of hosts...

    You could use an ipset containing all the problem addresses instead of a
    rule for each address. See ‘man ipset’ and look for ‘ipset’ in ‘man iptables’ for details. (I’ve not tried this myself..)

    --
    http://www.greenend.org.uk/rjk/

    --- MBSE BBS v0.95.15 (GNU/Linux-x86_64)
    * Origin: Anjou (110:300/1.1@linuxnet)
  • From Sandman@1:0/0 to All on Sat May 25 10:10:06 2013
    In article <878v33qyr1.fsf@araminta.anjou.terraraq.org.uk>,
    Richard Kettlewell <rjk@greenend.org.uk> wrote:

    The man page doesn't seem to say. I saw something that suggested that
    it may have maxed out at about 5000 rules, could that be true?

    Don’t know, but a linear search for every packet isn’t going to be very efficient...

    Of course not. It's idiotic. But currently, it's the only method I
    have found that is actually working. :)

    I'm adding them as I find them in the log files, and there are
    thousands of hosts...

    You could use an ipset containing all the problem addresses instead of a
    rule for each address. See ‘man ipset’ and look for ‘ipset’ in
    ‘man
    iptables’ for details. (I’ve not tried this myself..)

    I don't have ipset installed, and it's a kernel module and this is a production server, so I won't be starting to compile kernels on it
    unless it was my only option.

    The server is running Linux Debian 6.0.7 with the 2.6.32-5-amd64
    kernel.

    IT's been a long time since I compiled a kernel, and apt-get has ipset
    and ipset-source, and I've never even compiled an apt-get source
    package (but I obviously have compiled millions of downloaded source packages).

    ipset would be a solution for me, it seems, but as it seems,
    opennet.se may be the culprit here, and my first step (monday) should
    be to contact them and have them fix their DNS.



    --
    Sandman[.net]

    --- MBSE BBS v0.95.15 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From buck@110:300/1.1 to All on Sat May 25 19:06:05 2013
    Sandman <mr@sandman.net> wrote in news:mr-9F09EF.10100625052013@News.Individual.NET:

    The man page doesn't seem to say. I saw something that suggested
    that it may have maxed out at about 5000 rules, could that be true?

    Because I do not understand your DNS, this suggestion may be completely inappropriate, but have you considered a "recent" match for your iptables firewall? Something like:

    # This only limits the number of NEW connections, sending the remainder
    on
    # to the rest of the rules in the chain from which it was called (INPUT).
    # This limits each IP.

    iptables -N DDoS

    # Check /proc/net/ipt_recent to see the content of 'recent' lists.
    # --name is the name of the table; use --name when more than one
    'recent' match
    # is used so the table matches the intended use.
    # --rcheck checks to see if IP is in list '--name NAME' without updating
    the
    # entry's timestamp (use --update for that).
    # --rttl makes sure the ttl for this IP is the same as last time (helps prevent
    # IP spoofing).
    # --update updates the timestamp in the list. Cannot use --update and -- rcheck
    # in the same rule.
    # If IP is in list ddos then drop connections in excess of 17 per second.
    # Tune it if it DROPs too much for your setup.

    iptables -A DDoS -m recent --set --name ddos

    # Allow if hitcount is less than 18.

    iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \
    --hitcount 18 -m limit --limit 12/h --limit-burst 1 -j LOG --log-prefix "DDoS "
    iptables -A DDoS -m recent --name ddos --update --seconds 1 \
    --hitcount 18 -j DROP
    iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \
    --hitcount 1 -j RETURN
    iptables -A DDoS -j RETURN

    - ---
    # Limit the number of NEW connections.
    iptables -A INPUT -i $IFE -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
    - ---

    The syntax to change the DROP rule:
    iptables -R DDoS 3 -m recent --name ddos --update --seconds # \
    --hitcount ## -j DROP

    This way, you don't have 5K rules.
    --
    buck

    --- MBSE BBS v0.95.15 (GNU/Linux-x86_64)
    * Origin: Say What? (110:300/1.1@linuxnet)