[conspire] iptables filtering responses from DNS servers
daniel at gimpelevich.san-francisco.ca.us
Thu Jun 22 09:23:32 PDT 2006
On Sat, 10 Jun 2006 08:59:26 -0700, Tim Utschig wrote:
> On Sat, Jun 10, 2006 at 04:37:37AM -0700, Daniel Gimpelevich wrote:
>> iptables -t filter -X DOS
>> iptables -t filter -N DOS
>> iptables -A INPUT -p tcp --syn -j DOS
>> iptables -A INPUT -p udp -j DOS
>> iptables -A INPUT -p icmp --icmp-type echo-request -j DOS
>> iptables -A DOS -i ! nas0 -j RETURN
>> iptables -A DOS -m psd -j SCAN
>> iptables -A DOS -p tcp --syn -m limit --limit 5/s --limit-burst 10 -j RETURN
>> iptables -A DOS -p udp -m limit --limit 5/s --limit-burst 10 -j RETURN
>> iptables -A DOS -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 60 -j RETURN
>> iptables -A DOS -m limit --limit 10/s -j LOG --log-level 4 --log-prefix "[DOS] "
>> iptables -A DOS -j DROP
>> I'm quite a novice when it comes to iptables, so I obviously haven't fully
>> made sense of the above (nor any sense at this hour). On an intermittent
>> basis, these rules randomly, but consistently, filter out ordinary
>> responses from my ISP's DNS servers to queries made to them.
> All incoming UDP packets go through the "DOS" chain. The DOS chain
> allows only 5 per second, which could easily be reached on a modest web
> page with several different hostnames to resolve.
> It would probably be a good idea to make use of -m state and make sure
> ESTABLISHED,RELATED packets are accepted before the DOS chain is
Before I fiddle with manual tweaks, I figured I'd take another stab at an
auto-generated config. Is the following any different? It seems to block
even more UDP traffic now.
Chain DOS (6 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere limit: avg 1/sec burst 4 tcp flags:SYN,RST,ACK/SYN
RETURN udp -- anywhere anywhere limit: avg 1/sec burst 4
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 5/sec burst 60
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `[DOS] '
DROP all -- anywhere anywhere
More information about the conspire