Главная страница

iptables: limitation of traffic, limitation through the iptables numbers of simultaneous connections from one IP

Limiting of number of queries in time unit through iptables (1)
We let to make only 4 konnekta to 22 ports in a flow 60 seconds:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP

How to delete iptables governed on a number
iptables -L INPUT --line-numbers
iptables -D INPUT номер
iptables -t nat -L POSTROUTING --line-numbers
iptables -t nat -D POSTROUTING номер

How to limit a propusknuyu bar for packages noted a mark through MARK
To do MARK, and to drive all such transfers in some class of sheypera. I.e. if the packages noted for example - all to deliver them to the class 1:51 where speed is limited ot 32К to 64К:
tc filter add dev eth1 parent 1:0 protocol ip prio 100 handle 51 fw classid 1:51
tc class add dev eth1 parent 1:2 classid 1:51 htb rate 32Kbit ceil 64Kbit
tc qdisc add dev eth1 parent 1:51 handle 51 sfq perturb 10

How to forbid users to rock large files
- We collect support of connbytes in patch-o-matic.
- We add a rule in firewall, for example:
iptables -A FORWARD --connbytes 100000 -j REJECT
- now all TCP of session more than 100 Kb will be "cut", it is necessary to add an exception for protocols of type of ssh, ordinary "long-living" chats, etc.
Fight with Kazaa and other harmful traffic by excision of packages on a mask
- we collect support of "string" in patch-o-matic.
- we look at protocol of Kazaa, in headings contained:
HTTP/1.0 503 Service Unavailable.Retry-After: 3..X-Kazaa-Username: BlazeTre
- we add to the firewall line - iptables -A FORWARD -m string --string "X-Kazaa-" -j REJECT

How in Linux to kick about connection through NAT in an intranet (1)
The first way is probrasyvanie only of port:
1) iptables -t nat -A PREROUTING -p tcp -d EXT_R_IP --dport 10000 -j DNAT --to-destination LOCAL_IP:80
2) iptables -A FORWARD -i eth0 -d LOCAL_IP -p tcp --dport 22 -j ACCEPT
The second variant is the troop landing of all machine outside (if there are free addresses):
1) ifconfig eth0:0 NEW_IP netmask NETMASK broadcast BROADCAST
2) route add NEW_IP gw GW netmask 0.0.0.0 metric 1 dev eth0:0
3) iptables -t nat -A PREROUTING -p tcp -d NEW_IP -j DNAT --to-destination LOCAL_IP
4) iptables -A FORWARD -i eth0 -d LOCAL_IP -j ACCEPT
Denotations: EXT_R_IP - external IP routera, LOCAL_IP - internal IP of machine which want to throw out NEW_IP - new IP on which want to plant a machine which has local LOCAL_IP NETMASK, BROADCAST, GW, - external netmask, broadcast and gateway

Example of adjusting NAT with attachment to IP under Linux
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -o eth0 -j SNAT --to-source 212.23.98.45
or (without attachment to IP)
ipchains -A forward -j MASQ -s 192.168.0.0/16 -d 0.0.0.0/0
or (through iproute2)
ip rule add from 10.0.1.0/24 nat 254.147.38.14
Another way of translation of addresses:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j MASQUERADE
How to limit through iptables the maximal number of simultaneous
connections from one IP.
# Maksimum 10 simultaneous connections to a 80 port from one IP
iptables -An INPUT-p tcp --dport 80 -m iplimit --iplimit-above 10 -j REJECT
# We lock on the stage of SYN
iptables -I INPUT -p tcp --syn --dport 80 -j DROP -m iplimit --iplimit-above 10
# 20 connections on the network of class With
iptables -p tcp --dport 80 -m iplimit --iplimit-above 20 --iplimit-mask 24 -j REJECT
How to look statistics on PREROUTING to the chainlets in iptables.
> I do: > iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.22.33:3128 > On iptables -L nothing is shown.
Use: iptables -t nat -L

How to adjust a package filter for filtration on content of packages
Next rules lock passing packages, information in which contain the subline of virus.exe and conduct the ravine of packages with the line of secret inwardly:
iptables -A INPUT -m string --string "secret" -j LOG --log-level info --log-prefix "SECRET"
iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --string "virus.exe"
# Block Code Red
iptables -I INPUT -j DROP -p tcp -m string --string "cmd.exe"
# Block Nimda
iptables -I INPUT -j DROP -p tcp -m string --string "root.exe"
iptables -I INPUT -j DROP -p tcp -m string --string "default.ida"

How to adjust NAT (translator of addresses) for normal work with FTP and ICQ in Linux
iptables:
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_irc
ipchains:
modprobe ip_masq_ftp
modprobe ip_masq_raudio
modprobe ip_masq_irc
modprobe ip_masq_icq

Is it possible to filter packages (to conduct a ravine) depending on UID of user ?
In Linux in the kernels of 2.4.x in iptables it is possible to use the
module of owner.

Limitation of traffic through iptables (1)
iptables --new-chain car
iptables --insert OUTPUT 1 -p tcp --destination-port 25 -o eth1 --jump car
iptables --append car -m limit --limit 20/sec --jump RETURN
iptables --append car --jump DROP

 

http://city.is74.ru/forum/archive/index.php/t-15557.html

 

|