Does anyone know of a better way to do this I am using IPTABLES to allocate a "fixed" connection rate to the mail server (port 25 traffic) while allocating most of the connection bandwidth to the apache webserver...
I am getting about 100,000 spam hits a week installed this in the firewall and now.... currently the greylister is handling about 4 greylists/minute, spamassasin is processing about 4 SPAMS [spamlevel > 5] per hour, and the processor is 99.1% idle.... and life is now ....GOOD, ------------------------------------------------------------------------------------------------------------- # LG_LVL=5 # <snip> ........ </snip> # #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ## LOOPBACK # Allow unlimited traffic on the loopback interface. $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT ## SYN-FLOODING PROTECTION # This rule restricts the rate of incoming connections. In order to do this we divert tcp # packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections # can arrive in 1/limit seconds ..... in this case (for email --dport25) 3 connections in one second. # After this, one of the bursts is regained every second and connections are allowed again. # The default limit is 3/hour. The default limit burst is 5. # # we want this 'first' (at the beginning) in the INPUT chain $IPTABLES -N syn-flood $IPTABLES -N syn-flood_25 $IPTABLES -N syn-flood_110 $IPTABLES -A INPUT -i $INET_IFACE -p tcp -d $INTERNET_IP --syn -j syn-flood $IPTABLES -A syn-flood -p tcp --dport 25 -j syn-flood_25 $IPTABLES -A syn-flood -p tcp --dport 110 -j syn-flood_110 ######### process the rest of the connections ######### this should be greater than max() of all the others ######### eg pulling a webpage refresh of a page like "joomla administrator" ######### (pulls a lot of port 80 connects because of all the small images) ######### (and maybe there is a proxy web server in between the client and the web server ######### so 50 connections may not be quite high enough for good webserving) $IPTABLES -A syn-flood -m limit --limit 2/s --limit-burst 50 -j RETURN $IPTABLES -A syn-flood -j LOG --log-level $LG_LVL --log-prefix "IPTABLES FLOOD: " $IPTABLES -A syn-flood -j REJECT ######### $IPTABLES -A syn-flood_25 -m limit --limit 1/s --limit-burst 3 -j RETURN $IPTABLES -A syn-flood_25 -j LOG --log-level $LG_LVL --log-prefix "IPTABLES FLOOD_25: " $IPTABLES -A syn-flood_25 -j REJECT ######### it is possible (fast link), a customer with 6 email accounts can connect 6 times in under 2 seconds $IPTABLES -A syn-flood_110 -m limit --limit 2/s --limit-burst 6 -j RETURN $IPTABLES -A syn-flood_110 -j LOG --log-level $LG_LVL --log-prefix "IPTABLES FLOOD_110: " $IPTABLES -A syn-flood_110 -j REJECT # # Enable simple IP Forwarding and Network Address Translation ....... ---------------------------------------------------------------------------------------- Regards DonMath ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ policyd-users mailing list policyd-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/policyd-users
