Hello,
up to CentOS 5.3 it was possible, to control new ip connections by "recent", "seconds" and "hitcount"
-A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
so that - short time high new connections rate for the web server where accepted, but not over a longer time.
E.g. CentOS 5.8 or CentOS 6.2 accept only
-A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 -A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 15 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
So a complex web page with many small icons e.g. webmail pages initiate the log in line 2 and drop in line 3 .
hitcount does not accept values of 25 or above:
[root@server ~]# iptables -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 [root@server~]# iptables -A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 25 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " iptables: Unknown error 4294967295
what can i do to protect the web server? Is there any any configuration parameter to increase the values for hitcount?
Best regards Helmut Drodofsky
Hello Helmut,
On Mon, 2012-06-11 at 11:54 +0200, Helmut Drodofsky wrote:
up to CentOS 5.3 it was possible, to control new ip connections by "recent", "seconds" and "hitcount"
-A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
hitcount does not accept values of 25 or above:
20* on CentOS-5 afaict.
[root@server ~]# iptables -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 [root@server~]# iptables -A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 25 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " iptables: Unknown error 4294967295
I suggest you take this upstream. Apparently there are quite a few issues between the various kernel and iptables verions and also the different architectures.
https://bugzilla.redhat.com/show_bug.cgi?id=639026 seems to be the issue you are experiencing.
(Note that 4294967295 = 2^32-1 and 18446744073709551615 = 2^64-1, which makes me believe the reporter of the above bug runs on x86_64 and you're probably running a 32 bit system. These things should be mentioned when you report bugs as well as the CentOS and package versions you are conducting your tests on/with.)
Try to google for site:bugzilla.redhat.com iptables: Unknown error 4294967295 and site:bugzilla.redhat.com iptables: Unknown error 18446744073709551615 for more related bugzilla entries.
Regards, Leonard.
-
Helmut Drodofsky -
Leonard den Ottolander