1

i have this script of iptables

#!/bin/sh


IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
EXTIF="ens3"
EXTIP1="91.80.99.106"

UNIVERSE="0.0.0.0/0"

#Clearing any previous configuration

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Otherwise, I can not seem to delete it later on
$IPTABLES -F add-to-connlimit-list
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z

echo "...load xt_recent..."
modprobe -r xt_recent
modprobe xt_recent ip_list_tot=5000 ip_pkt_list_tot=128
echo "...load list limitation..."
#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# add-to-connlimit-list
# To many connections from an IP address has been detected.
$IPTABLES -N add-to-connlimit-list
$IPTABLES -A add-to-connlimit-list -m recent --set --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -j DROP
echo "...Accept incomming traffic..."

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT

# Just DROP invalid packets.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state INVALID -j DROP


# external interface, from any source, for any remaining ICMP traffic is valid
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -j DROP

#allow TcpPorts
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 432000 --name BADGUY_CONN -j DROP
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -p tcp -m connlimit --connlimit-above 20 -j add-to-connlimit-list

$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -m state --state NEW -p tcp -j ACCEPT

echo "protect all tcp ports"

#udp

$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -p udp -m connlimit --connlimit-above 20 -j add-to-connlimit-list
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -m state --state NEW -p udp -j ACCEPT

echo "Protect all udp ports"


$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP1 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Allow any related traffic"



$IPTABLES -A INPUT -i $EXTIF -p udp -m multiport --dport 33434:33448 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --dport 23,2323 -j DROP


$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP

it works pretty fine on limiting a connection per ip to 20 tcp/udp

i need to limit the udp packet per second per ip if its longer that 1 mb per second then drop it any idea how ?

DelphiStudent
  • 123
  • You can not do bandwidth limiting with iptables. Have a look at tc use, here. – Doug Smythies Nov 30 '19 at 06:51
  • hello i found this script by you in ask ubuntu , i am not asking about the bandwidth limiting cant i control over packet length send from each ip in udp ? sense the packet length per second that sent in my case are very high which cause network interruption – DelphiStudent Nov 30 '19 at 06:56
  • I thought the coding style looked familiar. I misunderstood your requirement. Yes, you can make iptables decisions based on packet length. It will take me awhile to figure out, but it is late in my time zone, so if nobody else answers in the meantime, tomorrow. – Doug Smythies Nov 30 '19 at 07:07
  • take your time . i am not sure how to adjust that in the same script as i see your answer here https://askubuntu.com/questions/955425/allow-x-packets-per-second-with-same-data-length-iptables – DelphiStudent Nov 30 '19 at 07:09
  • If you found, and extracted value from, my answer that you referenced, then an upvote would be appreciated. I'm going to need an example of what you want to limit, as I don't know exactly what you mean by "if its longer than 1mb per second". I assume you mean a total of 1 megabyte payload from one IP per second. For such a case we need to figure out of there is some unique way to identify such a condition. If you just mean by a single packet with a long payload, that would be easy. – Doug Smythies Nov 30 '19 at 16:59
  • i upvoted the answer but i couldn't figure out how to apply it to current script in udp section – DelphiStudent Nov 30 '19 at 17:59
  • what i want is to control the packet sent per second in udp from each ip , to avoid the traffic consumption from an attacker or flooder, i expect from normal clients to send a packet length of 640 per second , because the server running a voice chat application . when i use tcpdump i see some attackers send a huge amount of length from a single ip until i drop that ip . i see the server static i see a network consunption up to 3 mb per second . which come to my mind that i have to control the packet sent from a client to udp server to avoid that issue . – DelphiStudent Nov 30 '19 at 18:06
  • so if the packet from each client exceeded the length of 640 per second we should banned that attacker – DelphiStudent Nov 30 '19 at 18:07
  • I do not understand what you mean by "exceeded the length of 640 per second". Do you mean an individual packet with a length greater than 640? Or Do you mean greater than 640 packets per second? – Doug Smythies Nov 30 '19 at 20:27
  • Greater than 640 per second isn't the same if i am not mistaken something – DelphiStudent Nov 30 '19 at 20:56
  • I don't think I an help you. You want to do bandwidth limiting, so I refer you to my first comment. The maximum packet remembering table length is 255, and so it is not possible to remember 640. – Doug Smythies Nov 30 '19 at 22:12
  • can you guide me to a way to apply your answer in my current script ? https://askubuntu.com/questions/955425/allow-x-packets-per-second-with-same-data-length-iptables – DelphiStudent Dec 01 '19 at 07:38
  • Let us continue this discussion in chat. – Doug Smythies Dec 01 '19 at 16:03

1 Answers1

1

Your normal chat related UDP packets are fairly short. Bad guys are using longer UDP packets. The idea is to identify bad guys based on UDP packet length. Although typical chat related UDP packets should be much shorter, 640 bytes was your request.
Change this:

#udp

$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -p udp -m connlimit --connlimit-above 20 -j add-to-connlimit-list
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -m state --state NEW -p udp -j ACCEPT

To this (using the same list name)(untested):

#udp

$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -p udp -m connlimit --connlimit-above 20 -j add-to-connlimit-list
$IPTABLES -A INPUT -i $EXTIF --protocol udp -m length --length 640:65535 -j add-to-connlimit-list
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -m state --state NEW -p udp -j ACCEPT

Now, you may get some collateral damage, because you haven't mentioned which port. Suggest you add a port specification to the rule.

Additional suggestion (no functional change, just less confusing):
Change this:

#allow TcpPorts
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 432000 --name BADGUY_CONN -j DROP
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -p tcp -m connlimit --connlimit-above 20 -j add-to-connlimit-list

To This:

#Deal with previously identified Bad Guys
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 432000 --name BADGUY_CONN -j DROP

#allow TcpPorts
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -p tcp -m connlimit --connlimit-above 20 -j add-to-connlimit-list
Doug Smythies
  • 15,448
  • 5
  • 44
  • 61