Find the answer to your Linux question:
Results 1 to 10 of 10
Hey Everyone, I'm a near-total Linux newbie, and for now, this is just a proof-of-concept question: is it possible to create such a block with iptables, that limits the number ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2007
    Location
    Pécs
    Posts
    7

    Question Iptables connection limiting


    Hey Everyone,

    I'm a near-total Linux newbie, and for now, this is just a proof-of-concept question: is it possible to create such a block with iptables, that limits the number of incoming connections, not from a single IP or a known range, but from a wildcard range.

    The goal would be to create a firewall that allows only a preset number of IPs, say 250, to connect to it's network out of many, say 10.000, while sending the others to a predefined page, but the IPs would not be known in advance(hence the need for being able to do all this with wildcards). Then once an IP of the first 250 disconnects, the next to attempt would be allowed, while the one after it redirected.

    Was this understandable?

    Thank you in advance,
    The ThunderBird

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Yes, this would be possible. While I have never done something like this myself I believe it can be done using LIMIT, MARK and DNAT.

    Check out the following Tutorial for IPTABLES.

    Here you should be able to see how each one is used and build your rule set of of this.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Oct 2007
    Location
    Pécs
    Posts
    7
    Okay, after having had a lot of other things to do, and a lot to learn about iptables, I finally came up with something that I think should work. Here's the code:

    Code:
    #! /bin/sh
    
    ##################################
    # Script to set up connection limiting for Neptun servers #
    # to protect from overload                                                     #
    ##################################
    
    # Accept connections if total number of connections is below safety limit
    # Neptun server IP: 146.110.26.11
    # iptables -t filter -A FORWARD -p tcp -i eth0 -m connlimit --connlimit-below 250 --connlimit-mask 0 -j ACCEPT
    
    # Set marker on privileged MACs
    # Add own MAC as exempt
    iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac -m mac --mac-source 00:15:AF:71:DF:FB -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac -m mac --mac-source 00:1E:8C:7E:5D:C5 -j MARK --set-mark 1
    # Add X's MACs as exempts
    iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac --mac-source <X WLAN MAC> -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac --mac-source <X CAT5 MAC> -j MARK --set-mark 1
    # Add Y's MACs as exempts
    iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac --mac-source <Y WLAN MAC> -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -p tcp -i eth0 -m mac --mac-source <Y CAT5 MAC> -j MARK --set-mark 1
    
    # Accept privileged MACs over connection limiting
    iptables -t nat -A PREROUTING --m mark --mark 1 -j ACCEPT
    
    # Create connection-limiting to protect server from overload
    # Send surplus connections to overflow warning page
    iptables -t nat -A PREROUTING -p tcp -i eth0 -m connlimit --connlimit-above 250 --connlimit-mask 0 -j DNAT --to-destination <DIP>:80
    I wanted some machines to be able to access the server at all times due to their importance. Will this setup work as I described earlier?

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Not sure I follow you any more. In your original post you were talking IP addresses. This last post you are using MAC address. So what is it you are trying to use MAC or IP?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Just Joined!
    Join Date
    Oct 2007
    Location
    Pécs
    Posts
    7
    Okay, I did not provide suffiecient explanation...

    There are some machines that must be able to access this server at all times, even when it's nearing quota. But on this network, DHCP is being employed, so the machines IPs might change between instances, that's why I thought the I'd use the one thing that doesn't change about a machine, its MAC.

    I should have explained more clearly in my previous post, sorry.
    But I'm on the right track, or will this work, or is it something totally unworkable?

  7. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You do know that MAC addresses can be spoofed right?

    Is this all internal or are there external hosts going to be connecting also?

    Also is you are just interested in locking down to 250 hosts then why are you worried about mac addresses except the ones that have to connect all the time no matter what?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  8. #7
    Just Joined!
    Join Date
    Oct 2007
    Location
    Pécs
    Posts
    7
    Yes, I do know about MAC-spoofing, but I don't think the professors at the university I work at do, so this is not an issue here. Also, since I know the owners of these machines, I can track when they connect, and manually boot them if they connect when they usually don't.

    Most of the hosts connecting are going to be external, except for the ones that have 'privileged' status, those are internal, in addition to several 'normal' internal hosts.

    I'm not worried about MAC-addresses, it's just that this is the only thing I could come up with that stays the same about a machine despite DHCP (with a 1 hour lease, if I remember the settings correctly).

    Thanks for pointing these out, though...

  9. #8
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,049
    True, MAC does not provide ANY security, but neither does IP. If security is dealt with later on in the process, then I see no harm.

    It's possible to 'just accept' the MAC addresses. In this example, a file exists with all the MAC addresses that need to be 'whitelisted', one per line as the first thing on that line. The rest of the line can be used as description. You will want to refine it further, it's just an example.
    If you accept them before the rate limiter rule is passed, then the rate limiter will not affect them.

    Code:
    ###################
    # WHITELIST
    if [ -f /etc/firewall/whitelist ] ; then
            echo "Allowed clients:"
            for i in `cat /etc/wan/whitelist|awk '{print $1}'` ; do
                    /usr/sbin/iptables -A INPUT -m mac --mac-source $i -j LOG --log-prefix 'ALLOWED CLIENT '
                    /usr/sbin/iptables -A INPUT -m mac --mac-source $i -j ACCEPT
                    echo Allow $i
            done
    else
            echo 'Alert! No Whitelist'
    fi

    Oh, and your shebang, it has a space in it.
    Code:
    #!/bin/bash
    edit: Oh, ehm, my example does the same as your script, just differently. Hmmm, nevermind.
    Can't tell an OS by it's GUI

  10. #9
    Just Joined!
    Join Date
    Oct 2007
    Location
    Pécs
    Posts
    7
    Thanks, and yes, security is dealt with at the server itself, using strong ecryption and a login/pass system.
    The main point in this firewall would be to limit the number of clients, to prevent the server from crashing, as twice a year, we get a flood of connections from students, which gives us techs a lot of headaches and the students no access to the system for sometimes over an hour while we try to keep the damn thing alive.

    As for my shebang, it worked before with the space in it, but thanks for poiting it out.

  11. #10
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    If you are at a UNI then why don't you look at VLAN's and subnetting to control who has access to the server?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •