[CentOS] iptables: hitcount

Mon Jun 11 09:54:11 UTC 2012
Helmut Drodofsky <drodofsky at internet-xs.de>

Hello,

up to CentOS 5.3 it was possible, to control new ip connections by 
"recent", "seconds" and "hitcount"

-A INPUT -m state --state NEW -m recent --set -p tcp --dport 80
-A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 
1000 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: "
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 1000 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

so that
- short time high new connections rate for the web server where 
accepted, but not over a longer time.

E.g. CentOS 5.8 or CentOS 6.2 accept only

-A INPUT -m state --state NEW -m recent --set -p tcp --dport 80
-A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 
15 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: "
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent 
--update --seconds 1 --hitcount 15 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

So a complex web page with many small icons e.g. webmail pages initiate 
the log in line 2 and drop in line 3 .

hitcount does not accept values of 25 or above:

[root at server ~]# iptables -A INPUT -m state --state NEW -m recent --set 
-p tcp --dport 80
[root at server~]# iptables -A INPUT -m state --state NEW -m recent 
--update --seconds 1 --hitcount 25 -p tcp --dport 80 -j LOG --log-prefix 
"FW DROP IP Flood: "
iptables: Unknown error 4294967295


what can i do to protect the web server? Is there any any configuration 
parameter to increase the values for hitcount?

Best regards Helmut Drodofsky

-- 
Viele Grüße
Helmut Drodofsky

Internet XS Service GmbH
Heßbrühlstraße 15
70565 Stuttgart

Geschäftsführung
Dr.-Ing. Roswitha Hahn-Drodofsky
HRB 21091 Stuttgart
USt.ID: DE190582774
Tel. 0711 781941 0
Fax: 0711 781941 79
Mail: info at internet-xs.de
www.internet-xs.de