Max number of iptable rules?

Discussion in 'Linux Networking' started by Sandman, May 24, 2013.

  1. Sandman

    Sandman Guest

    The man page doesn't seem to say. I saw something that suggested that
    it may have maxed out at about 5000 rules, could that be true?

    I'm adding them as I find them in the log files, and there are
    thousands of hosts...
     
    Sandman, May 24, 2013
    #1
    1. Advertisements

  2. Don’t know, but a linear search for every packet isn’t going to be very
    efficient...
    You could use an ipset containing all the problem addresses instead of a
    rule for each address. See ‘man ipset’ and look for ‘ipset’ in ‘man
    iptables’ for details. (I’ve not tried this myself..)
     
    Richard Kettlewell, May 25, 2013
    #2
    1. Advertisements

  3. Sandman

    Sandman Guest

    Don’t know, but a linear search for every packet isn’t going to be very
    efficient...[/QUOTE]

    Of course not. It's idiotic. But currently, it's the only method I
    have found that is actually working. :)
    I don't have ipset installed, and it's a kernel module and this is a
    production server, so I won't be starting to compile kernels on it
    unless it was my only option.

    The server is running Linux Debian 6.0.7 with the 2.6.32-5-amd64
    kernel.

    IT's been a long time since I compiled a kernel, and apt-get has ipset
    and ipset-source, and I've never even compiled an apt-get source
    package (but I obviously have compiled millions of downloaded source
    packages).

    ipset would be a solution for me, it seems, but as it seems,
    opennet.se may be the culprit here, and my first step (monday) should
    be to contact them and have them fix their DNS.
     
    Sandman, May 25, 2013
    #3
  4. Sandman

    buck Guest

    Because I do not understand your DNS, this suggestion may be completely
    inappropriate, but have you considered a "recent" match for your iptables
    firewall? Something like:

    # This only limits the number of NEW connections, sending the remainder
    on
    # to the rest of the rules in the chain from which it was called (INPUT).
    # This limits each IP.

    iptables -N DDoS

    # Check /proc/net/ipt_recent to see the content of 'recent' lists.
    # --name is the name of the table; use --name when more than one
    'recent' match
    # is used so the table matches the intended use.
    # --rcheck checks to see if IP is in list '--name NAME' without updating
    the
    # entry's timestamp (use --update for that).
    # --rttl makes sure the ttl for this IP is the same as last time (helps
    prevent
    # IP spoofing).
    # --update updates the timestamp in the list. Cannot use --update and --
    rcheck
    # in the same rule.
    # If IP is in list ddos then drop connections in excess of 17 per second.
    # Tune it if it DROPs too much for your setup.

    iptables -A DDoS -m recent --set --name ddos

    # Allow if hitcount is less than 18.

    iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \
    --hitcount 18 -m limit --limit 12/h --limit-burst 1 -j LOG --log-prefix
    "DDoS "
    iptables -A DDoS -m recent --name ddos --update --seconds 1 \
    --hitcount 18 -j DROP
    iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \
    --hitcount 1 -j RETURN
    iptables -A DDoS -j RETURN

    ---
    # Limit the number of NEW connections.
    iptables -A INPUT -i $IFE -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
    ---

    The syntax to change the DROP rule:
    iptables -R DDoS 3 -m recent --name ddos --update --seconds # \
    --hitcount ## -j DROP

    This way, you don't have 5K rules.
     
    buck, May 25, 2013
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.