Is this firewall only protecting itself (INPUT) or others behind it (FORWARD) as well? But anyway, if the cause of your problem is synflood and that your ethernet driver is being DoS'ed (that's my interpretation from "eth0: Too much work at interrupt...") then I'd say that there is nothing iptables can do for you as it (iptables) reacts on the packets your driver hands over to it. I might be wrong here. What happens when you pipe lots of data through your card, eg when you almost saturate the link? In both directions? Or is this only happening when you get hit by synflood?
But, it seems weird though. Your ethernet card should be able to handle that much of a traffic that the upstream ethernet port is sending. What is your upstream bandwidth to your ISP? And what is your upstream bandwidth from your linux box? And how much synflood traffic is hitting you each time? Ramin On Thu, Apr 11, 2002 at 06:13:14PM +0200, Dworf wrote: > Hello, > > I work for a BIG company and we get lots of SynFlood Attacks to ouer company. > DDoS is not a problem couse ouer ISP is droping all icmp on their router. but > SynFlood attacks go throo. The problem is that when there is a major attack > the linux firewall gets disconnected while the attac is in progress. I get > this in my /var/log/messages > > Apr 11 16:56:52 fw kernel: eth0: Too much work at interrupt, > IntrStatus=0x0001. > > I use the RLT 8139too driver i tought this could be a network card problem and > changed the card to eepro100 and still the same problem with a little difrent > kernel msg but still looze the connection when the attack is in progress. So > i tought that maybe i have a problem with my firewall configuration: > > Curent Configuration: > > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects > /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians > /bin/echo "0" > /proc/sys/net/ipv4/ip_forward > > /bin/echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > /bin/echo "0" > /proc/sys/net/ipv4/tcp_timestamps > /bin/echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout > /bin/echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time > /bin/echo "0" > /proc/sys/net/ipv4/tcp_window_scaling > /bin/echo "0" > /proc/sys/net/ipv4/tcp_sack > > /usr/sbin/iptables -N syn-flood > /usr/sbin/iptables -A INPUT -p tcp --syn -j syn-flood > /usr/sbin/iptables -A syn-flood -m limit --limit 2/s --limit-burst 4 -j RETURN > /usr/sbin/iptables -A syn-flood -j LOG --log-prefix "IPTABLES SYN-FLOOD-IN: " > /usr/sbin/iptables -A syn-flood -j DROP > > /usr/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > > /usr/sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " > /usr/sbin/iptables -A INPUT -f -j DROP > > I pasted only the syn firewall settings other settings are some drops for > other ports etc... > > Anyone got any ideas what else could i add/change for SynFlooding or anykind > of Flooding/attacks? > > BTW: the Line bandwith is not a problem we have a 100Mbit INET Line to the ISP > but attack usualy usses up to 10Mbit but i still get disconnected > > I really need help and my boss wants to se some results anyone? help! and > sorrf for the long post > > And sorry for my english.
