[conspire] iptables filtering responses from DNS servers

Thu Jun 22 09:23:32 PDT 2006

On Sat, 10 Jun 2006 08:59:26 -0700, Tim Utschig wrote:

> On Sat, Jun 10, 2006 at 04:37:37AM -0700, Daniel Gimpelevich wrote:
>> iptables -t filter -X DOS
>> iptables -t filter -N DOS
>> iptables -A INPUT -p tcp --syn -j DOS
>> iptables -A INPUT -p udp -j DOS
>> iptables -A INPUT -p icmp --icmp-type echo-request -j DOS
>> iptables -A DOS -i ! nas0 -j RETURN
>> iptables -A DOS -m psd -j SCAN
>> iptables -A DOS -p tcp --syn -m limit --limit 5/s --limit-burst 10 -j RETURN
>> iptables -A DOS -p udp -m limit --limit 5/s --limit-burst 10 -j RETURN
>> iptables -A DOS -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 60 -j RETURN
>> iptables -A DOS -m limit --limit 10/s -j LOG --log-level 4 --log-prefix "[DOS] "
>> iptables -A DOS -j DROP
>> 
>> I'm quite a novice when it comes to iptables, so I obviously haven't fully
>> made sense of the above (nor any sense at this hour). On an intermittent
>> basis, these rules randomly, but consistently, filter out ordinary
>> responses from my ISP's DNS servers to queries made to them.
> 
> All incoming UDP packets go through the "DOS" chain.  The DOS chain
> allows only 5 per second, which could easily be reached on a modest web
> page with several different hostnames to resolve.
> 
> It would probably be a good idea to make use of -m state and make sure
> ESTABLISHED,RELATED packets are accepted before the DOS chain is
> reached.

Before I fiddle with manual tweaks, I figured I'd take another stab at an
auto-generated config. Is the following any different? It seems to block
even more UDP traffic now.

Chain DOS (6 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere           limit: avg 1/sec burst 4 tcp flags:SYN,RST,ACK/SYN 
RETURN     udp  --  anywhere             anywhere           limit: avg 1/sec burst 4 
RETURN     icmp --  anywhere             anywhere           icmp echo-request limit: avg 5/sec burst 60 
LOG        all  --  anywhere             anywhere           limit: avg 10/sec burst 5 LOG level warning prefix `[DOS] ' 
DROP       all  --  anywhere             anywhere           