Hello, up to CentOS 5.3 it was possible, to control new ip connections by "recent", "seconds" and "hitcount" -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT so that - short time high new connections rate for the web server where accepted, but not over a longer time. E.g. CentOS 5.8 or CentOS 6.2 accept only -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 -A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 15 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT So a complex web page with many small icons e.g. webmail pages initiate the log in line 2 and drop in line 3 . hitcount does not accept values of 25 or above: [root at server ~]# iptables -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 [root at server~]# iptables -A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 25 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " iptables: Unknown error 4294967295 what can i do to protect the web server? Is there any any configuration parameter to increase the values for hitcount? Best regards Helmut Drodofsky -- Viele Gr??e Helmut Drodofsky Internet XS Service GmbH He?br?hlstra?e 15 70565 Stuttgart Gesch?ftsf?hrung Dr.-Ing. Roswitha Hahn-Drodofsky HRB 21091 Stuttgart USt.ID: DE190582774 Tel. 0711 781941 0 Fax: 0711 781941 79 Mail: info at internet-xs.de www.internet-xs.de
Hello Helmut, On Mon, 2012-06-11 at 11:54 +0200, Helmut Drodofsky wrote:> up to CentOS 5.3 it was possible, to control new ip connections by > "recent", "seconds" and "hitcount" > > -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 > -A INPUT -m state --state NEW -m recent --update --seconds 60 > --hitcount > 1000 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " > -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent > --update --seconds 60 --hitcount 1000 -j DROP > -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT> hitcount does not accept values of 25 or above:20* on CentOS-5 afaict.> [root at server ~]# iptables -A INPUT -m state --state NEW -m recent --set > -p tcp --dport 80 > [root at server~]# iptables -A INPUT -m state --state NEW -m recent > --update --seconds 1 --hitcount 25 -p tcp --dport 80 -j LOG --log-prefix > "FW DROP IP Flood: " > iptables: Unknown error 4294967295I suggest you take this upstream. Apparently there are quite a few issues between the various kernel and iptables verions and also the different architectures. https://bugzilla.redhat.com/show_bug.cgi?id=639026 seems to be the issue you are experiencing. (Note that 4294967295 = 2^32-1 and 18446744073709551615 = 2^64-1, which makes me believe the reporter of the above bug runs on x86_64 and you're probably running a 32 bit system. These things should be mentioned when you report bugs as well as the CentOS and package versions you are conducting your tests on/with.) Try to google for site:bugzilla.redhat.com iptables: Unknown error 4294967295 and site:bugzilla.redhat.com iptables: Unknown error 18446744073709551615 for more related bugzilla entries. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research