RE: [squid-users] iptables to limit connections

From: Jay Turner <jturner@dont-contact.us>
Date: Mon, 16 Jun 2003 16:58:46 +0800

taken from: http://www.cs.princeton.edu/~jns/security/iptables/

## SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do this
we divert tcp
# packets with the SYN bit set off to a user-defined chain. Up to
limit-burst connections
# can arrive in 1/limit seconds ..... in this case 4 connections in one
second. After this, one
# of the burst is regained every second and connections are allowed again.
The default limit
# is 3/hour. The default limit burst is 5.
#
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 80 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "syn-flood-protection: "
iptables -A syn-flood -j DROP

Regards
Jay

-----Original Message-----
From: Ralf Hildebrandt [mailto:Ralf.Hildebrandt@charite.de]
Sent: Monday, 16 June 2003 4:45 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] iptables to limit connections

* Henrik Nordstrom <hno@squid-cache.org>:

> > So I thought iptables --limit could do the trick.
> > Before I reinvent the whell, I'd like to ask if someone already has
> > such a "connection rate limiter per IP" in place (and how it
> > looks).
>
> iptables -m limit should handle such case nicely, but you will need
> one rule per client IP address... Something like the following should
> work I think:
>
> -N SYN
> -A SYN -s ip.of.first.client -m limit --limit ... -j ACCEPT
> -A SYN -s ip.of.second.client -m limit --limit ... -j ACCEPT
> ....
> -A SYN -m limit ... -j LOG --log-prefix "SYNRATE "
> -A SYN -j DROP
> -A INPUT -p tcp --syn -J SYN

Yes, but this requires identifying the evil client.

--
Ralf Hildebrandt (Im Auftrag des Referat V a)   Ralf.Hildebrandt@charite.de
Charite Campus Mitte                            Tel.  +49 (0)30-450 570-155
Referat V a - Kommunikationsnetze -             Fax.  +49 (0)30-450 570-916
AIM: ralfpostfix
Received on Mon Jun 16 2003 - 02:58:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:22 MST