[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

iptables: rate limiting problem



I've been trying to get some rate limiting working with my Fedora firewall.

I needed to open up SSH externally on one machine so I wanted to put some rate limiting into my Fedora 7 iptables for SSH, but it refuses to work.

Here's what I have:

# iptables -L -n --line-numbers
    ...
Chain RH-Firewall-1-INPUT (1 references)
...
16 tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322 recent: SET name: DEFAULT side: source 17 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322 recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322
19 REJECT 0   -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited


If I take out the two 'recent' rules then I can login via SSH on port 33322. But with the rules in I get a timeout and 'connection closed' when I try to login via ssh on port 33322.

Here's the rules:
iptables -I RH-Firewall-1-INPUT 16 -i eth0 -m state --state NEW -p tcp --dport 33322 -m recent --set iptables -I RH-Firewall-1-INPUT 17 -i eth0 -m state --state NEW -p tcp --dport 33322 -m recent --update --seconds 60 --hitcount 4 -j DROP iptables -I RH-Firewall-1-INPUT 18 -i eth0 -m state --state NEW -p tcp --dport 33322 -j ACCEPT

Ok, what I've found is that if I set the 'hit_count' high to say 100 then I can login but the connection dies very quickly (actually it just hangs). So I think the limit rule is applying to more than just NEW packets. The higher that I set 'hit_count' the longer the connection will last. So is there something wrong with the way I've implemented this or is this a bug in iptables?

????

Gerry


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]