[linux] iptables a limit --limit --limit-burst
Peto - www.lentus.sk
konfery na lentus.sk
Pondělí Duben 5 12:58:13 CEST 2004
Zdravim.
Na nete [koniec emailu] som nasiel vysvetlenie $SUBJ.
Len pre uistenie sa, *ci som dobre pochopil*:
--limit 3/s ZNAMENA
urob (loguj, dropuj, acceptuj ...) 3 za sekundu
[je nejake default "cache"? // default --limit-burst? - aka velka??]
--limit 4/h --limit-burst 5 -j LOG ZNAMENA
loguj MAXIMALNE styri za hodinu s tym, ze mas "cache" vo velkosti 5 packetov
A)
--limit 4/h --limit-burst 5 -j LOG
Ak
1.hod. pridu 3 packety
2.hod. pride 10 packetov [1 zahodi/neloguje]
3.hod. pride 2 packety
tak 4. hod. prijem max. 4+(5+0-5+3)=7 packetov??
Je to spravne?
B)
--limit 2/m --limit-burst 3 -j LOG
Ak
1.m. pridu 3 packety
2.m. pridu 3 packety
3.m. pride 2 packety
4.m. pride 1 packety
tak 5.m. prijme max. 2+(3-1-1+0+1)=4 packety??
Je to spravne?
Dakujem za straveny cas :P
Peter
*www.lentus.sk*
--
Cerpal som z:
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html
limit
This module must be explicitly specified with `-m limit' or
`--match limit'. It is used to restrict the rate of matches, such as for
suppressing log messages. It will only match a given number of times per
second (by default 3 matches per hour, with a burst of 5). It takes two
optional arguments:
--limit
followed by a number; specifies the maximum average number of
matches to allow per second. The number can specify units explicitly,
using `/second', `/minute', `/hour' or `/day', or parts of them (so
`5/second' is the same as `5/s').
--limit-burst
followed by a number, indicating the maximum burst before the
above limit kicks in.
This match can often be used with the LOG target to do rate-limited
logging. To understand how it works, let's look at the following rule,
which logs packets with the default limit parameters:
# iptables -A FORWARD -m limit -j LOG
The first time this rule is reached, the packet will be logged; in
fact, since the default burst is 5, the first five packets will be
logged. After this, it will be twenty minutes before a packet will be
logged from this rule, regardless of how many packets reach it. Also,
every twenty minutes which passes without matching a packet, one of the
burst will be regained; if no packets hit the rule for 100 minutes, the
burst will be fully recharged; back where we started.
Note: you cannot currently create a rule with a recharge time
greater than about 59 hours, so if you set an average rate of one per
day, then your burst rate must be less than 3.
You can also use this module to avoid various denial of service
attacks (DoS) with a faster rate to increase responsiveness.
Syn-flood protection:
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Furtive port scanner:
# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j ACCEPT
Ping of death:
# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT
This module works like a "hysteresis door", as shown in the graph
below.
rate (pkt/s)
^ .---.
| / DoS \
| / \
Edge of DoS -|.....:.........\.......................
= (limit * | /: \
limit-burst) | / : \ .-.
| / : \ / \
| / : \ / \
End of DoS -|/....:..............:.../.......\..../.
= limit | : :`-' `--'
-------------+-----+--------------+------------------> time (s)
LOGIC => Match | Didn't Match | Match
Say we say match one packet per second with a five packet burst,
but packets start coming in at four per second, for three seconds, then
start again in another three seconds.
<--Flood 1--> <---Flood 2--->
Total ^ Line __-- YNNN
Packets| Rate __-- YNNN
| mum __-- YNNN
10 | Maxi __-- Y
| __-- Y
| __-- Y
| __-- YNNN
|- YNNN
5 | Y
| Y Key: Y -> Matched Rule
| Y N -> Didn't Match Rule
| Y
|Y
0 +--------------------------------------------------> Time (seconds)
0 1 2 3 4 5 6 7 8 9 10 11 12
You can see that the first five packets are allowed to exceed the
one packet per second, then the limiting kicks in. If there is a pause,
another burst is allowed but not past the maximum rate set by the rule
(1 packet per second after the burst is used).
Další informace o konferenci linux