din excelentul packet-filtering-howto:
... sau
http://www.netfilter.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-7.html
limit
This module must be explicitly specified with `-m limit' or `--match
limit'. It is used to restrict the rate of matches, such as for
suppressing log messages. It will only match a given number of times per
second (by default 3 matches per hour, with a burst of 5). It takes two
optional arguments:
--limit
followed by a number; specifies the maximum average number of matches to
allow per second. The number can specify units explicitly, using
`/second', `/minute', `/hour' or `/day', or parts of them (so `5/second'
is the same as `5/s').
--limit-burst
followed by a number, indicating the maximum burst before the above limit
kicks in.
This match can often be used with the LOG target to do rate-limited
logging. To understand how it works, let's look at the following rule,
which logs packets with the default limit parameters:
# iptables -A FORWARD -m limit -j LOG
The first time this rule is reached, the packet will be logged; in fact,
since the default burst is 5, the first five packets will be logged. After
this, it will be twenty minutes before a packet will be logged from this
rule, regardless of how many packets reach it. Also, every twenty minutes
which passes without matching a packet, one of the burst will be regained;
if no packets hit the rule for 100 minutes, the burst will be fully
recharged; back where we started.
Note: you cannot currently create a rule with a recharge time greater than
about 59 hours, so if you set an average rate of one per day, then your
burst rate must be less than 3.
You can also use this module to avoid various denial of service attacks
(DoS) with a faster rate to increase responsiveness.
Syn-flood protection:
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Furtive port scanner:
# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j ACCEPT
Ping of death:
# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT
This module works like a "hysteresis door", as shown in the graph below.
rate (pkt/s)
^ .---.
| / DoS \
| / \
Edge of DoS -|.....:.........\.......................
= (limit * | /: \
limit-burst) | / : \ .-.
| / : \ / \
| / : \ / \
End of DoS -|/....:..............:.../.......\..../.
= limit | : :`-' `--'
-------------+-----+--------------+------------------> time (s)
LOGIC => Match | Didn't Match | Match
Say we say match one packet per second with a five packet burst, but
packets start coming in at four per second, for three seconds, then start
again in another three seconds.
<--Flood 1--> <---Flood 2--->
Total ^ Line __-- YNNN
Packets| Rate __-- YNNN
| mum __-- YNNN
10 | Maxi __-- Y
| __-- Y
| __-- Y
| __-- YNNN
|- YNNN
5 | Y
| Y Key: Y -> Matched Rule
| Y N -> Didn't Match Rule
| Y
|Y
0 +--------------------------------------------------> Time
(seconds)
0 1 2 3 4 5 6 7 8 9 10 11 12
You can see that the first five packets are allowed to exceed the one
packet per second, then the limiting kicks in. If there is a pause,
another burst is allowed but not past the maximum rate set by the rule (1
packet per second after the burst is used).
Remus Anca <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
07/29/2003 04:03 PM
Please respond to rlug
To: Paul Chitescu <[EMAIL PROTECTED]>
cc:
Subject: [rlug] Re: IPTABLES -m limit
Hello Paul,
Tuesday, July 29, 2003, 4:50:22 PM, you wrote:
PC> Remus Anca wrote:
PC> Nu.
PC> Se declanseaza la o rata medie mai mare sau egala cu 1/secunda dar
PC> accepta un virf initial de 5/secunda.
PC> Limita interna esta ajustata astfel: in fiecare unitate de timp in
care
PC> nu trec pachete se creste limita cu 1 pina ajunge la --limit-burst. In
PC> fiecare unitate de timp in care trec pachete se scade limita cu 1 pina
se
PC> ajunge la valoarea specificata in --limit.
mai pe taraneste:
adica daca vine un flux de 5 pachete / sec., toate fac match pe regula
respectiva, deci nu se dropeaza
daca in urmatoarea secunda imi vinde doar un pachet, creste limita la
1, daca in a doua vine alt pachet, creste limita la 2, daca in a 3-a
vine un flux de 10 pachete / sec., primele 2 sunt acceptate (fac
match) iar restul de 8 sunt dropate
am priceput ceva?
thx.
