[plug] limits for the number of rules in iptables

Bill Kenworthy billk at iinet.net.au
Fri Aug 20 11:37:23 WST 2004


I use a modified monmotha firewall script.  DROP is the default so
theoretically, putting in a global DROP is redundant, but the angle I
have is that:

A. if someone is probing a port I dont want them to, I want nothing
further to do with them, even on services that are world available - a
per port drop does not do this.  Per port hits are currently logged and
dropped.  A large part of this is windoze chatter, which is just anoying
noise in the logs.

B. Once I have decided I do not want anything to do with someone, I dont
want them cluttering up the logs with multiple messages that basicly
never stop - I am talking windoze chatter leaking onto the adsl network
and block scans. Once these are logged and dropped, they are moved to a
dont log, just drop everything (blackhole). Most of the more interesting
ones though seem to be looking for doze trojans - though in one case
someone tried to extract some files from gallery by blind requests (must
have had a good idea of how gallery is constructed!), then started a
scan so was blackholed immediately.  Also have some string matches for
apache as some of the buffer overflow attempts being received by apache
that were making a real mess of the logs, besides the protection
aspects.

On a real (that is, a commercial or very public) server, you wouldnt
want to go this far, and being able to see full log messages would still
be necessary, but blocking everything from an IP after a scan or suspect
connection attempt seems sane.

This has been an interesting and educational exercise - well worth it
from that view, but the extra protection is worthwhile to.

BillK

On Fri, 2004-08-20 at 11:08, Mark J Gaynor wrote:
> Have you looked at making drop everything your default rule and then
> your rules then become what you want to come through.
> 
> Mark
> --
> 
> *********** REPLY SEPARATOR  ***********
> 
> On 20/08/2004 at 6:39 AM William Kenworthy wrote:
> 
> >Does anyone know the practical limits for the number of rules to have in
> >iptables?  I am blackholing every (well most, dont want to dos myself!)
> >IP that probes my gateway on tripwired ports.  After a couple of days, I
> >have over a thousand going to the bitbucket under the desk. After about
> >600 DROP's, the logs noticably cleaned up and no longer look like www3
> >
> >There doesn't seem to be any real effect on lag so far, but at some
> >threshold, I think I'll want to have the oldest rules fall out.
> >
> >BillK
> >
> >
> >_______________________________________________
> >PLUG discussion list: plug at plug.linux.org.au
> >http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> >Committee e-mail: committee at plug.linux.org.au
> 
> 
> 
> _______________________________________________
> PLUG discussion list: plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au




More information about the plug mailing list