Daily once, the following IP range is sending multiple requests per second. During the attack a strange browser is being used that is mentioned below:
IP Range: 192.168.1.100-192.168.1.200
Port: 80 (Apache web server)
Browser Name: X11: Crawler
In other times, I receive legitimate traffic (with other browsers) from mentioned IP rage. Therefore, I can't block this IP range completely.
I would like to limit the aggregate connections (of the mentioned IP range only) to 15/minute. Is the following iptable rule correct?
iptables -A INPUT -p tcp --syn --dport 80
-m string --algo bm --string "X11: Crawler" \
-m iprange --src-range 192.168.1.100-192.168.1.200 \
-m connlimit --connlimit-above 15/minute --connlimit-mask 32 \
-j REJECT --reject-with tcp-reset
i think this working
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
if you want banned IP range change ACCEPT with DROP
Related
so say for instance i have an iptables rule that is of the sort
iptables -I PREROUTING 1 -p udp 1000 -j DNAT --to-dest 192.168.1.10:1010
is there a way that i can midway through the connection based on say a u32 match or a string match further redirect the incoming ports connection to another ip
so in laymans terms i have forwarded port 1000 to an internal ip and port, and upon transmission of a packet that meets a certain criteria "re DNAT" that connection to another internal ip
I would think that I could insert this rule before hand and effectuate what i want but it consistently just skips over the rule
iptables -I PREROUTING 1 -p udp 1000 -m string --algo bm "stringtomatch" -j DNAT --to-dest 192.168.1.100:1010
should it maybe be after... and should i change the port on the secondary rule to the changed port address?
I'm hosting several websites, and some of them use scripts to ddos externals servers from my server.
There is a possibility to control the outgoing traffic by, for example, limiting the number of request per second or so ?
Here are some example to prevent DOS, you can man iptables to search the keyword 'limit, connlimit, hitcount' for more informations.
Allow 5 new connection packets per second
iptables -A OUTPUT -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT
Allow 30 connections during 60 seconds each IP.
iptables -A OUTPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT
50 max connections per IP to httpd
iptables -A OUTPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT
I've installed Confluence on Debian Linux 7.0. It runs on 8081 port (for connector, 8091 is used as TomCat server port). I've configured Apache to act as reverse proxy and serve on https://confluence.<mydomain>.com (SSL is configured on Apache side).
The configuration worked perfect unless I set up firewall rules. It still works as expected but became extremely slow (memory and CPU utilisations are low). Switching firewall off brings the performance back to normal. The set of firewall rules for IPv4 is:
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allows SSH connections
-A INPUT -p tcp --dport 22 -j ACCEPT
# Allow all HTTP and HTTPS connections
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT
IPv6 traffic is completely disabled:
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
COMMIT
I'm using Oracle JVM (1.7), startup options are configured in the following way:
JAVA_OPTS="-Xms512m -Xmx2048m -XX:MaxPermSize=1024m $JAVA_OPTS -Djava.awt.headless=true"
Confluence version is "Confluence 5.4.2 - Standalone (TAR.GZ Archive)", license is Starter (10 users). Database is locally installed PostreSQL.
Anyone has an idea on what I'm doing wrong?
I am creating a script that allows you to block, IP, port, certain IP's and ports, and DNS servers. It basically gets a name and blocks certain addresses for that person.
Problem is, I am stuck at blocking 8.8.8.8 . No matter what I have tried, I cannot seem to block it!
Here is what I have tried so far:
iptables -A OUTPUT -p tcp -d 8.8.8.8 --destination-port 53 -j DROP
iptables -A OUTPUT -p udp -d 8.8.8.8 --destination-port 53 -j DROP
iptables -A OUTPUT -p -s 8.8.8.8 -j DROP
And even
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j DROP
Pinging any other site doesn't work, while pinging 8.8.8.8 still works...
My Policies are all set to ALLOW. Should I change them?
I am kinda new to this, apologies if this all seems queer . Thanks!
You're trying to block a SOURCE address in the OUTPUT chain. 8.8.8.8 would be a DESTINATION in the output chain. The SOURCE of a packet in the output chain is generally the machine you're running these rules on... Try these:
-A INPUT -s 8.8.8.8 -j DROP
-A OUTPUT -d 8.8.8.8 -j DROP
rule #1 will drop any packets coming IN to your system which originated on google's public DNS. rule #2 will drop any packets LEAVING your system destined for the same.
As for ping, remember that ping uses the ICMP protocol. You're trying to block UDP only. Also remember that DNS requests CAN use TCP if the request or response would need more than 1 udp packet.
Im writing a bash scripting to account traffic in my network server:
WAN:eth1 -> GNU/Linux Server:eth0 -> Users
The GNU/Linux server uses squid, bind, QoS, mysql, lighttpd.
After an IP exceed the established quota a new QoS rule is applied for that IP (user) too exist one "flag" to decide when is restored the IP counter to Zero.
Some IPs and subnets work without quotas, other gruop of ips/subnets work with new QoS after quota is exceeded, and now I wanna work with a third group with redirection after quota is exceeded.
When an IP exceed the established quota all http traffic must be redirected to host (lighttpd runing on GNU/Linux ) and DROP all other traffic generated for that IP. In webserver exist a webpage with: "You exceed your daily quote of traffic, please wait "x" hours or call to your provider to purchase an extra navigation package" or something like that.
Is possible using a chain, or how can I do that?.
The most topics that I found in Internet, are related to block all and create a new chain to let out to Internet (not work for me). And other redirect only IP by IP, but how can I create something that a "chain" and attach the IPs to must me redirected to can after restore that IPs easly?
Thanks for help and sorry for my poor English :S.
Are you looking for something like this?
iptables -t nat -A PREROUTING -s 192.168.100.66 -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -I INPUT 1 -i lo -s 192.168.100.66 -j ACCEPT
iptables -I INPUT 2 -i eth1 -d 192.168.100.66 -j DROP
This will redirect packets from 192.168.100.66 on port 80 to the local webserver on the loopback interface, allow that conversation, then reject all other packets being routed to 192.168.100.66 on the WAN interface.
To restore the connection back to normal you will want to delete those firewall entries:
iptables -t nat -D PREROUTING -s 192.168.100.66 -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -D INPUT -i lo -s 192.168.100.66 -j ACCEPT
iptables -D INPUT -i eth1 -d 192.168.100.66 -j DROP
Note that iptables itself (well, the xtables-addons extension set providing quota2) can already do the quota matching magic and you can (re)set the values through procfs, combined with REDIRECT as #resmon6 says:
-t nat -s user1addr -m quota2 --name user1 ! --quota 0 -j REDIRECT...
-t nat -s user2addr -m quota2 --name user2 ! --quota 0 -j REDIRECT...
The syntax is a arguably a little odd right now (0 is the initial value only and is independent from the runtime quota test involving the negational !. Noticing this just now, a patch may make it in to unroll this confusing syntax in the future).