Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: iptables --hitcount --seconds not affecting apache2

  1. #1

    Question iptables --hitcount --seconds not affecting apache2

    Hi!

    Code:
    sudo iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -m recent --set
    sudo iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 2 -j DROP
    That limits inbound SSH connections to 2/30s, check.

    Code:
    sudo iptables -A INPUT -i eth1 -p tcp --dport 411 -m state --state NEW -m recent --set
    sudo iptables -A INPUT -i eth1 -p tcp --dport 411 -m state --state NEW -m recent --update --seconds 30 --hitcount 2 -j DROP
    That limits inbound connection on my DC server to 2/30s, check.

    Code:
    sudo iptables -A INPUT -i eth1 -p tcp --dport 80 -m state --state NEW -m recent --set
    sudo iptables -A INPUT -i eth1 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 2 -j DROP
    That does _not_ drop connections betyond the 2nd in a 30s interval. Oh no, no limitations at all seem to apply. What am I doing wrong here?


    Ty in adv~

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: iptables --hitcount --seconds not affecting apache2

    How are you testing it?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3

    Exclamation Re: iptables --hitcount --seconds not affecting apache2

    I'm setting the rule via SSH on a remote server that runs Apache2. Then I'm entering http://remoteadress on client-side Firefox; where I'm pressing F5 (CTRL+R) repeatedly. Page loads every time! ;/

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: iptables --hitcount --seconds not affecting apache2

    Tested it on my test machine and it's not blocking the connections, but I have a feeling it's due to how the apache handles connections - everything is transfering in a sinple "session" and not muliple "hits" like the other services use.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: iptables --hitcount --seconds not affecting apache2

    Quote Originally Posted by gewone View Post
    I'm setting the rule via SSH on a remote server that runs Apache2. Then I'm entering http://remoteadress on client-side Firefox; where I'm pressing F5 (CTRL+R) repeatedly. Page loads every time! ;/
    You would need to post ALL your rules. I assume you are accepting connections earlier in your rule set (the rules you posted work as expected on my server).

    If you want to limit DOS attacks try something like this :

    Code:
    #Accept RELATED and ESTABLISHED connections.
    sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Limit new connections
    sudo -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 5 -j ACCEPT
    
    #Use either a policy of DROP or DROP the rest.
    sudo -A INPUT -p tcp --dport 80 -j DROP
    If you mash on the f5 button with those settings you will see the connection slow.

    Apache should be able to handle these settings easily (your hit count is way too restrictive).
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #6
    Join Date
    Oct 2009
    Beans
    492
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: iptables --hitcount --seconds not affecting apache2

    Quote Originally Posted by bodhi.zazen View Post


    # Limit new connections
    sudo -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 5 -j ACCEPT
    I was following this thread so asking I checked man page of iptables
    --limit-burst number
    Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this num‐
    ber; the default is 5.
    I could not understand what it is doing.
    What exactly you did by the --limit-burst parameter.

  7. #7
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: iptables --hitcount --seconds not affecting apache2

    Quote Originally Posted by tapas_mishra View Post
    I was following this thread so asking I checked man page of iptables


    I could not understand what it is doing.
    What exactly you did by the --limit-burst parameter.
    I am not sure if you are asking why I specified a --limit-burst of 5 if 5 is the default or if you are asking about --limit and --limit-burst.

    For the former, educational purposes, to encourage people to read and learn more

    For the latter see this page:

    http://netfilter.org/documentation/H...g-HOWTO-7.html

    Scroll down to the section on limits (it is in section 7.3).
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  8. #8
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: iptables --hitcount --seconds not affecting apache2

    Quote Originally Posted by tapas_mishra View Post
    I was following this thread so asking I checked man page of iptables


    I could not understand what it is doing.
    What exactly you did by the --limit-burst parameter.
    See also : http://blog.***************/linux/pre...with-iptables/
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  9. #9
    Join Date
    Oct 2009
    Beans
    492
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: iptables --hitcount --seconds not affecting apache2

    I checked both the links you gave
    from your blog
    Code:
    “--limit-burst” is a bit confusing, but in a nutshell 200 new  connections (packets really) are allowed before the limit of 50 NEW  connections (packets) per minute is applied.
    are you referring to 200 New connections from same IP and the condition is 50 connections in a minute.
    What I understand from the netfilter page and your blog is IPTABLES would see first if the request to the web server in question is coming and if more than 200 requests come (from same IP) then it will limit to 50 connections per minute(to that IP where 200 limit is applied).First the 200 request condition is checked.

    So the rule 50 connections per minute will be applied only when the client request crosses 200 connections limit.
    Is that right?
    Last edited by tapas_mishra; October 28th, 2010 at 05:51 AM.

  10. #10
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: iptables --hitcount --seconds not affecting apache2

    Quote Originally Posted by tapas_mishra View Post
    So the rule 50 connections per minute will be applied only when the client request crosses 200 connections limit.
    Is that right?
    Yes. Keep in mind, by default, browsers make multiple connections. I think Firfox is set at 24 connections per server, and many people increase this to increase speed.

    Google search "improve firefox performance connections per server" and you will find a plethora of blogs/posts advising much higher numbers connections.

    Here is but one:

    http://www.technical-assistance.co.uk/kb/ffconfig.php

    Using iptables for such things requires a lot of consideration, what port ? Apahce is NOT the same as ssh.

    What for ? ssh - do you use scp ? SVN over ssh ? tunneling ? all these variables will influence how you apply rules in iptables.

    While it may seem confusing at first, with a little practice it is actually not *that* difficult.

    With that said, most of this does not apply to the vast majority of desktop users and these settings are much more useful server side.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •