Iptables connection limiting

05-25-2009	#1 (permalink)
ThunderBird89 Just Joined! Join Date: Oct 2007 Location: Pécs Posts: 7	Iptables connection limiting Hey Everyone, I'm a near-total Linux newbie, and for now, this is just a proof-of-concept question: is it possible to create such a block with iptables, that limits the number of incoming connections, not from a single IP or a known range, but from a wildcard range. The goal would be to create a firewall that allows only a preset number of IPs, say 250, to connect to it's network out of many, say 10.000, while sending the others to a predefined page, but the IPs would not be known in advance(hence the need for being able to do all this with wildcards). Then once an IP of the first 250 disconnects, the next to attempt would be allowed, while the one after it redirected. Was this understandable? Thank you in advance, The ThunderBird

05-26-2009	#2 (permalink)
Lazydog Linux Engineer Join Date: Jun 2004 Location: The Key Stone State Posts: 1,187	Yes, this would be possible. While I have never done something like this myself I believe it can be done using LIMIT, MARK and DNAT. Check out the following Tutorial for IPTABLES. Here you should be able to see how each one is used and build your rule set of of this. __________________ Regards Robert Linux The adventure of a life time. Linux User #296285 Get Counted

06-23-2009

#3 (permalink)

ThunderBird89

Just Joined!

Join Date: Oct 2007

Location: Pécs

Posts: 7

Okay, after having had a lot of other things to do, and a lot to learn about iptables, I finally came up with something that I think should work. Here's the code:

Code:

#! /bin/sh

##################################
# Script to set up connection limiting for Neptun servers #
# to protect from overload                                                     #
##################################

# Accept connections if total number of connections is below safety limit
# Neptun server IP: 146.110.26.11
# iptables -t filter -A FORWARD -p tcp -i eth0 -m connlimit --connlimit-below 250 --connlimit-mask 0 -j ACCEPT

# Set marker on privileged MACs
# Add own MAC as exempt
iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac -m mac --mac-source 00:15:AF:71:DF:FB -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac -m mac --mac-source 00:1E:8C:7E:5D:C5 -j MARK --set-mark 1
# Add X's MACs as exempts
iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac --mac-source <X WLAN MAC> -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac --mac-source <X CAT5 MAC> -j MARK --set-mark 1
# Add Y's MACs as exempts
iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac --mac-source <Y WLAN MAC> -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac --mac-source <Y CAT5 MAC> -j MARK --set-mark 1

# Accept privileged MACs over connection limiting
iptables -t nat -A PREROUTING --m mark --mark 1 -j ACCEPT

# Create connection-limiting to protect server from overload
# Send surplus connections to overflow warning page
iptables -t nat -A PREROUTING -p tcp -i eth0 -m connlimit --connlimit-above 250 --connlimit-mask 0 -j DNAT --to-destination <DIP>:80

I wanted some machines to be able to access the server at all times due to their importance. Will this setup work as I described earlier?

06-25-2009	#4 (permalink)
Lazydog Linux Engineer Join Date: Jun 2004 Location: The Key Stone State Posts: 1,187	Not sure I follow you any more. In your original post you were talking IP addresses. This last post you are using MAC address. So what is it you are trying to use MAC or IP? __________________ Regards Robert Linux The adventure of a life time. Linux User #296285 Get Counted

06-25-2009	#5 (permalink)
ThunderBird89 Just Joined! Join Date: Oct 2007 Location: Pécs Posts: 7	Okay, I did not provide suffiecient explanation... There are some machines that must be able to access this server at all times, even when it's nearing quota. But on this network, DHCP is being employed, so the machines IPs might change between instances, that's why I thought the I'd use the one thing that doesn't change about a machine, its MAC. I should have explained more clearly in my previous post, sorry. But I'm on the right track, or will this work, or is it something totally unworkable?

06-26-2009	#6 (permalink)
Lazydog Linux Engineer Join Date: Jun 2004 Location: The Key Stone State Posts: 1,187	You do know that MAC addresses can be spoofed right? Is this all internal or are there external hosts going to be connecting also? Also is you are just interested in locking down to 250 hosts then why are you worried about mac addresses except the ones that have to connect all the time no matter what? __________________ Regards Robert Linux The adventure of a life time. Linux User #296285 Get Counted

06-26-2009	#7 (permalink)
ThunderBird89 Just Joined! Join Date: Oct 2007 Location: Pécs Posts: 7	Yes, I do know about MAC-spoofing, but I don't think the professors at the university I work at do, so this is not an issue here. Also, since I know the owners of these machines, I can track when they connect, and manually boot them if they connect when they usually don't. Most of the hosts connecting are going to be external, except for the ones that have 'privileged' status, those are internal, in addition to several 'normal' internal hosts. I'm not worried about MAC-addresses, it's just that this is the only thing I could come up with that stays the same about a machine despite DHCP (with a 1 hour lease, if I remember the settings correctly). Thanks for pointing these out, though...

06-26-2009	#8 (permalink)
Freston Linux Engineer Join Date: Mar 2007 Location: The Netherlands Posts: 827	True, MAC does not provide ANY security, but neither does IP. If security is dealt with later on in the process, then I see no harm. It's possible to 'just accept' the MAC addresses. In this example, a file exists with all the MAC addresses that need to be 'whitelisted', one per line as the first thing on that line. The rest of the line can be used as description. You will want to refine it further, it's just an example. If you accept them before the rate limiter rule is passed, then the rate limiter will not affect them. Code: ################### # WHITELIST if [ -f /etc/firewall/whitelist ] ; then echo "Allowed clients:" for i in `cat /etc/wan/whitelist\|awk '{print $1}'` ; do /usr/sbin/iptables -A INPUT -m mac --mac-source $i -j LOG --log-prefix 'ALLOWED CLIENT ' /usr/sbin/iptables -A INPUT -m mac --mac-source $i -j ACCEPT echo Allow $i done else echo 'Alert! No Whitelist' fi Oh, and your shebang, it has a space in it. Code: #!/bin/bash edit: Oh, ehm, my example does the same as your script, just differently. Hmmm, nevermind. __________________ Can't tell an OS by it's GUI

06-26-2009	#9 (permalink)
ThunderBird89 Just Joined! Join Date: Oct 2007 Location: Pécs Posts: 7	Thanks, and yes, security is dealt with at the server itself, using strong ecryption and a login/pass system. The main point in this firewall would be to limit the number of clients, to prevent the server from crashing, as twice a year, we get a flood of connections from students, which gives us techs a lot of headaches and the students no access to the system for sometimes over an hour while we try to keep the damn thing alive. As for my shebang, it worked before with the space in it, but thanks for poiting it out.

06-30-2009	#10 (permalink)
Lazydog Linux Engineer Join Date: Jun 2004 Location: The Key Stone State Posts: 1,187	If you are at a UNI then why don't you look at VLAN's and subnetting to control who has access to the server? __________________ Regards Robert Linux The adventure of a life time. Linux User #296285 Get Counted

Are you a Linux Guru who is willing to share your in-depth Linux knowledge? Try our new Article submission system.