Re: recent/hitcount broken in Lenny?

To: Guillaume Tamboise <guillaume@patoche.org>
Cc: debian-firewall@lists.debian.org
Subject: Re: recent/hitcount broken in Lenny?
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Sat, 25 Apr 2009 14:22:37 +0200
Message-id: <49F3008D.3040307@plouf.fr.eu.org>
In-reply-to: <1240653905.8210.14.camel@pthome>
References: <1240653905.8210.14.camel@pthome>

Hello,

Guillaume Tamboise a écrit :


I used to rate limit the number of incoming HTTP connections in Etch,
using these iptables statements:

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --set --name HTTP

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --update --seconds 2 --hitcount 50 --name HTTP -j LOG
--log-prefix "HTTP_DoS "

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --update --seconds 2 --hitcount 50 --name HTTP -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

The second statement gives this in Lenny:

iptables: Invalid argument

The only way to get iptables to accept this statement is to remove the
hitcount.


From ChangeLog-2.6.25 :

    [NETFILTER]: ipt_recent: sanity check hit count

    If a rule using ipt_recent is created with a hit count greater than
    ip_pkt_list_tot, the rule will never match as it cannot keep track
    of enough timestamps. This patch makes ipt_recent refuse to create such
    rules.

    With ip_pkt_list_tot's default value of 20, the following can be used
    to reproduce the problem.

    nc -u -l 0.0.0.0 1234 &
    for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done

    This limits it to 20 packets:
    iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
             --rsource
    iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
             60 --hitcount 20 --name test --rsource -j DROP

    While this is unlimited:
    iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
             --rsource
    iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
             60 --hitcount 21 --name test --rsource -j DROP

    With the patch the second rule-set will throw an EINVAL.

Maybe this is the explanation if you use a kernel version 2.6.25 orabove, such as a 2.6.26 kernel from lenny. You may try to increase thepacket list length to at least 50 using the parameter "ip_pkt_list_tot"of the module ipt_recent (note that this module is renamed xt_recent inkernel version 2.6.28 and above, but the "ipt_recent" alias should bekept). IIRC this can be done by adding an "options" statement in/etc/modprobe.conf or /etc/modprobe.d/ (I haven't been doing that fortoo much time).


options ipt_recent ip_pkt_list_tot=50

Reply to:

Follow-Ups:
- Re: recent/hitcount broken in Lenny?
  - From: Guillaume Tamboise <guillaume@patoche.org>

References:
- recent/hitcount broken in Lenny?
  - From: Guillaume Tamboise <guillaume@patoche.org>

Prev by Date: recent/hitcount broken in Lenny?
Next by Date: Re: recent/hitcount broken in Lenny?
Previous by thread: recent/hitcount broken in Lenny?
Next by thread: Re: recent/hitcount broken in Lenny?
Index(es):
- Date
- Thread