[conspire] iptables filtering responses from DNS servers

Tim Utschig tim at tetro.net
Sat Jun 10 07:59:26 PDT 2006


On Sat, Jun 10, 2006 at 04:37:37AM -0700, Daniel Gimpelevich wrote:
> iptables -t filter -X DOS
> iptables -t filter -N DOS
> iptables -A INPUT -p tcp --syn -j DOS
> iptables -A INPUT -p udp -j DOS
> iptables -A INPUT -p icmp --icmp-type echo-request -j DOS
> iptables -A DOS -i ! nas0 -j RETURN
> iptables -A DOS -m psd -j SCAN
> iptables -A DOS -p tcp --syn -m limit --limit 5/s --limit-burst 10 -j RETURN
> iptables -A DOS -p udp -m limit --limit 5/s --limit-burst 10 -j RETURN
> iptables -A DOS -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 60 -j RETURN
> iptables -A DOS -m limit --limit 10/s -j LOG --log-level 4 --log-prefix "[DOS] "
> iptables -A DOS -j DROP
> 
> I'm quite a novice when it comes to iptables, so I obviously haven't fully
> made sense of the above (nor any sense at this hour). On an intermittent
> basis, these rules randomly, but consistently, filter out ordinary
> responses from my ISP's DNS servers to queries made to them.

All incoming UDP packets go through the "DOS" chain.  The DOS chain
allows only 5 per second, which could easily be reached on a modest web
page with several different hostnames to resolve.

It would probably be a good idea to make use of -m state and make sure
ESTABLISHED,RELATED packets are accepted before the DOS chain is
reached.

-- 
   - Tim Utschig <tim at tetro.net>




More information about the conspire mailing list