iptables: rate limiting problem

Richi Plana myfedora at richip.dhs.org
Fri Sep 21 22:47:37 UTC 2007 

At first I was going to reply off-list thinking it had nothing to do
with fedora, but afterwards I thought that Gerry might be using rawhide
and something there might be causing it.

On Fri, 2007-09-21 at 16:34 -0400, Gerry Reno wrote:
> I needed to open up SSH externally on one machine so I wanted to put 
> some rate limiting into my Fedora 7 iptables for SSH, but it refuses to 
> work.
> 
> Here's what I have:
> 
> # iptables -L -n --line-numbers
>      ...
> Chain RH-Firewall-1-INPUT (1 references)
> ...
> 16 tcp        -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322 recent: SET 
> name: DEFAULT side: source
> 17 DROP   tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322 recent: 
> UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source
> 18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322
> 19 REJECT 0   -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
> 
> 
> If I take out the two 'recent' rules then I can login via SSH on port 
> 33322.  But with the rules in I get a timeout and 'connection closed' 
> when I try to login via ssh on port 33322.
> 
> Here's the rules:
> iptables -I RH-Firewall-1-INPUT 16 -i eth0 -m state --state NEW -p tcp 
> --dport 33322 -m recent --set
> iptables -I RH-Firewall-1-INPUT 17 -i eth0 -m state --state NEW -p tcp 
> --dport 33322 -m recent --update --seconds 60 --hitcount 4 -j DROP
> iptables -I RH-Firewall-1-INPUT 18 -i eth0 -m state --state NEW -p tcp 
> --dport 33322 -j ACCEPT
> 
> Ok, what I've found is that if I set the 'hit_count' high to say 100 
> then I can login but the connection dies very quickly (actually it just 
> hangs). So I think the limit rule is applying to more than just NEW 
> packets. The higher that I set 'hit_count' the longer the connection 
> will last. So is there something wrong with the way I've implemented 
> this or is this a bug in iptables?

If packet-dropping is indeed what you're experiencing, it either has
nothing to do with those rules, or there's a bug in the IPv4 packet
filtering implementation. I use pretty much the same rules as you do
except that I name the list of IP addresses using "--name" as opposed to
using the DEFAULT (in case it collides with other rules that use "-m
recent").

Try to eliminate other possibilities (like faulty network conditions)
then list down all the rules. If everything's alright, you might want to
try the LOG or ULOG target for all rules that DROP and find out what's
'causing it.
--

Richi Plana

More information about the fedora-devel-list mailing list