[linux] iptables a limit --limit --limit-burst

Peto - www.lentus.sk konfery na lentus.sk
Pondělí Duben 5 12:58:13 CEST 2004 

Zdravim.

Na nete [koniec emailu] som nasiel vysvetlenie $SUBJ.
Len pre uistenie sa, *ci som dobre pochopil*:

--limit 3/s  ZNAMENA
urob (loguj, dropuj, acceptuj ...) 3 za sekundu
[je nejake default "cache"? // default --limit-burst? - aka velka??]


--limit 4/h --limit-burst 5 -j LOG    ZNAMENA
loguj MAXIMALNE styri za hodinu s tym, ze mas "cache" vo velkosti 5 packetov



A)
--limit 4/h --limit-burst 5 -j LOG
Ak
1.hod. pridu 3 packety
2.hod. pride 10 packetov [1 zahodi/neloguje]
3.hod. pride 2 packety
tak 4. hod. prijem max. 4+(5+0-5+3)=7 packetov??
Je to spravne?


B)
--limit 2/m --limit-burst 3 -j LOG
Ak
1.m. pridu 3 packety
2.m. pridu 3 packety
3.m. pride 2 packety
4.m. pride 1 packety
tak 5.m. prijme max. 2+(3-1-1+0+1)=4 packety??
Je to spravne?

Dakujem za straveny cas :P


Peter
*www.lentus.sk*


--
Cerpal som z:
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html

limit

     This module must be explicitly specified with `-m limit' or 
`--match limit'. It is used to restrict the rate of matches, such as for 
suppressing log messages. It will only match a given number of times per 
second (by default 3 matches per hour, with a burst of 5). It takes two 
optional arguments:

     --limit

         followed by a number; specifies the maximum average number of 
matches to allow per second. The number can specify units explicitly, 
using `/second', `/minute', `/hour' or `/day', or parts of them (so 
`5/second' is the same as `5/s').
     --limit-burst

         followed by a number, indicating the maximum burst before the 
above limit kicks in.

     This match can often be used with the LOG target to do rate-limited 
logging. To understand how it works, let's look at the following rule, 
which logs packets with the default limit parameters:

# iptables -A FORWARD -m limit -j LOG

     The first time this rule is reached, the packet will be logged; in 
fact, since the default burst is 5, the first five packets will be 
logged. After this, it will be twenty minutes before a packet will be 
logged from this rule, regardless of how many packets reach it. Also, 
every twenty minutes which passes without matching a packet, one of the 
burst will be regained; if no packets hit the rule for 100 minutes, the 
burst will be fully recharged; back where we started.

     Note: you cannot currently create a rule with a recharge time 
greater than about 59 hours, so if you set an average rate of one per 
day, then your burst rate must be less than 3.

     You can also use this module to avoid various denial of service 
attacks (DoS) with a faster rate to increase responsiveness.

     Syn-flood protection:

# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

     Furtive port scanner:

# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit 
--limit 1/s -j ACCEPT

     Ping of death:

# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 
1/s -j ACCEPT

     This module works like a "hysteresis door", as shown in the graph 
below.

        rate (pkt/s)
              ^        .---.
              |       / DoS \
              |      /       \
Edge of DoS -|.....:.........\.......................
  = (limit *  |    /:          \
limit-burst) |   / :           \         .-.
              |  /  :            \       /   \
              | /   :             \     /     \
End of DoS  -|/....:..............:.../.......\..../.
  = limit     |     :              :`-'         `--'
-------------+-----+--------------+------------------> time (s)
    LOGIC =>  Match | Didn't Match |    Match

     Say we say match one packet per second with a five packet burst, 
but packets start coming in at four per second, for three seconds, then 
start again in another three seconds.


         <--Flood 1-->           <---Flood 2--->

Total  ^                   Line  __--      YNNN
Packets|               Rate  __--      YNNN
        |            mum  __--      YNNN
     10 |        Maxi __--         Y
        |         __--            Y
        |     __--               Y
        | __--    YNNN
        |-    YNNN
      5 |    Y
        |   Y                                Key:  Y -> Matched Rule
        |  Y                                       N -> Didn't Match Rule
        | Y
        |Y
      0 +-------------------------------------------------->  Time (seconds)
         0   1   2   3   4   5   6   7   8   9  10  11  12

     You can see that the first five packets are allowed to exceed the 
one packet per second, then the limiting kicks in. If there is a pause, 
another burst is allowed but not past the maximum rate set by the rule 
(1 packet per second after the burst is used).

Další informace o konferenci linux