Вопросы Теги

Разрешить X Packets в секунду с одинаковой длиной данных - IPTables

Для Firefox добавьте «about: config» в адресную строку и перейдите туда. Найдите «заклинание» и найдите переменную «spellchecker.dictionary». Если его значение является чем-то иным, чем «en_US» (мой сказал «en_AU»), щелкните правой кнопкой мыши запись и измените значение на «en_US».

0
задан 13 September 2017 в 15:10

6 ответов

Используя последний модуль iptables, в двухэтапном процессе можно обнаружить 10 в секунду, а затем установить более длительное время запрета. Для этого был создан сценарий: 

#!/bin/sh
FWVER=0.01
#
# gamer-cs iptables rule example. Smythies 2017.09.13 Ver:0.01
#     Protocl: UDP
#     Destination port: 27015
#     Length: 100 payload. The UDP header is always 8 bytes in length.
#                 The IP header is typically 20 bytes but can be longer.
#
#     Ban by IP or ban all?:
#            Ban by IP via a two step process, can ban for any desired time.
#            Ban all can use the built in rate limit stuff, but then the ban
#            time can not exceed the rate limit window and it has a tendency
#            to block legitamite users.
#
#     Probably needs to be combined with the bigger context of other rules.
#
#     See also:
#     https://askubuntu.com/questions/955425/allow-x-packets-per-second-with-same-data-length-iptables
#            And other questions from gamer-cs.
#
#     https://askubuntu.com/questions/818524/correctly-limit-ip-connections
#     https://chat.stackexchange.com/transcript/51426/2017/1/9
#
#     run as sudo
#

echo "Loading gamer-cs rule example version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

# Some definitions.
# Some of these are for the Smythies test computer. Change as required.
EXTIF="enp9s0"
EXTIP="192.168.111.104"
PORT_TO_CHECK="27015"
UNIVERSE="0.0.0.0/0"

#Clearing any previous configuration
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Otherwise, I can not seem to delete it later on
$IPTABLES -F ADD_TO_LIST
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z

#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# ADD_TO_LIST
# Called from the rate checker.
# Add the IP address to the bad guy list, and DROP the packet.
# If desired, comment out the log rule.
# Rate limit the logging.
$IPTABLES -N ADD_TO_LIST
$IPTABLES -A ADD_TO_LIST -m recent --set --name BADGUY_LIST
$IPTABLES -A ADD_TO_LIST -m limit --limit 3/m --limit-burst 2 -j LOG --log-prefix "BAD_ADD:" --log-level info
$IPTABLES -A ADD_TO_LIST -j DROP


# I (Smythies) need the following rule to prevent my ssh sessions from being locked out
# while testing/debugging
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Other INPUT chain rules might be needed before this, not sure.
#
# If on the bad guy list, then drop regardless. Limit logging (If desired, comment out the log rule).
$IPTABLES -A INPUT -i $EXTIF -m limit --limit 3/m --limit-burst 2 -m recent --rcheck --hitcount 1 --seconds 3600 --name BADGUY_LIST -j LOG --log-prefix "BAD GUY:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 3600 --name BADGUY_LIST -j DROP
# Do the actual rate limiting check
$IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --update --hitcount 10 --seconds 1 --name BAD_OR_NOT -j ADD_TO_LIST
$IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --set --name BAD_OR_NOT -j ACCEPT
# O.K. at this point, carry on with other INPUT chain rules.

echo "gamer-cs rule example version $FWVER done.\n"

Тестирование проводилось с использованием hping3 с другого компьютера. Во-первых: 

sudo hping3 --quiet -c 50 --udp --data 100 --destport 27015 --interval u101000 --spoof 192.168.111.249 192.168.111.104

Отправленные пакеты под пределом скорости 10 на секунду. Исходный IP был подделан, чтобы предотвратить блокирование моего реального IP-адреса. Результат (подсказка: точно так, как ожидалось): 

$ sudo iptables -v -x -n -L
Chain INPUT (policy ACCEPT 10 packets, 984 bytes)
    pkts      bytes target     prot opt in     out     source               destination
      37     2152 ACCEPT     all  --  enp9s0 *       0.0.0.0/0            192.168.111.104      state RELATED,ESTABLISHED
       0        0 LOG        all  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/min burst 2 recent: CHECK seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "BAD GUY:"
       0        0 DROP       all  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255
       0        0 ADD_TO_LIST  udp  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:27015 length 128 recent: UPDATE seconds: 1 hit_count: 10 name: BAD_OR_NOT side: source mask: 255.255.255.255
      50     6400 ACCEPT     udp  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:27015 length 128 recent: SET name: BAD_OR_NOT side: source mask: 255.255.255.255

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 57 packets, 8528 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain ADD_TO_LIST (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: BADGUY_LIST side: source mask: 255.255.255.255
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/min burst 2 LOG flags 0 level 6 prefix "BAD_GUY:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Второе: 

sudo hping3 --quiet -c 50 --udp --data 100 --destport 27015 --interval u98000 --spoof 192.168.111.249 192.168.111.104

Отправлено пакетов чуть более 10 в секунду. Результат (подсказка: точно так, как ожидалось): 

$ sudo iptables -v -x -n -L
Chain INPUT (policy ACCEPT 16 packets, 1798 bytes)
    pkts      bytes target     prot opt in     out     source               destination
      55     7648 ACCEPT     all  --  enp9s0 *       0.0.0.0/0            192.168.111.104      state RELATED,ESTABLISHED
       0        0 LOG        all  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/min burst 2 recent: CHECK seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "BAD GUY:"
      39     4992 DROP       all  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255
       1      128 ADD_TO_LIST  udp  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:27015 length 128 recent: UPDATE seconds: 1 hit_count: 10 name: BAD_OR_NOT side: source mask: 255.255.255.255
      60     7680 ACCEPT     udp  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:27015 length 128 recent: SET name: BAD_OR_NOT side: source mask: 255.255.255.255

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 86 packets, 13585 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain ADD_TO_LIST (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       1      128            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: BADGUY_LIST side: source mask: 255.255.255.255
       1      128 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/min burst 2 LOG flags 0 level 6 prefix "BAD_GUY:"
       1      128 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

В-третьих: 

$ sudo hping3 --quiet -c 50 --udp --data 100 --destport 27015 --interval 5 --spoof 192.168.111.249 192.168.111.104

Проверьте ограниченное ведение журнала с использованием медленной скорости передачи пакетов, ранее инициировав правило блокировки. Результат: 

$ sudo iptables -v -x -n -L
Chain INPUT (policy ACCEPT 36 packets, 2671 bytes)
    pkts      bytes target     prot opt in     out     source               destination
     129     7848 ACCEPT     all  --  enp9s0 *       0.0.0.0/0            192.168.111.104      state RELATED,ESTABLISHED
      10     1280 LOG        all  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 2 recent: CHECK seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "BAD GUY:"
      89    11392 DROP       all  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255
       1      128 ADD_TO_LIST  udp  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:27015 length 128 recent: UPDATE seconds: 1 hit_count: 10 name: BAD_OR_NOT side: source mask: 255.255.255.255
      60     7680 ACCEPT     udp  --  enp9s0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:27015 length 128 recent: SET name: BAD_OR_NOT side: source mask: 255.255.255.255

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 208 packets, 31104 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain ADD_TO_LIST (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       1      128            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: BADGUY_LIST side: source mask: 255.255.255.255
       1      128 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 2 LOG flags 0 level 6 prefix "BAD_ADD:"
       1      128 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Последние несколько связанных записей /var/log/syslog: 

Sep 14 08:52:29 cyd-hp2 kernel: [778611.743160] BAD GUY:IN=enp9s0 OUT= MAC=00:26:9e:90:10:8d:f4:6d:04:65:2d:8e:08:00 SRC=192.168.111.249 DST=192.168.111.104 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=16043 PROTO=UDP SPT=1682 DPT=27015 LEN=108
Sep 14 08:52:49 cyd-hp2 kernel: [778631.742076] BAD GUY:IN=enp9s0 OUT= MAC=00:26:9e:90:10:8d:f4:6d:04:65:2d:8e:08:00 SRC=192.168.111.249 DST=192.168.111.104 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=41223 PROTO=UDP SPT=1686 DPT=27015 LEN=108
Sep 14 08:53:09 cyd-hp2 kernel: [778651.741012] BAD GUY:IN=enp9s0 OUT= MAC=00:26:9e:90:10:8d:f4:6d:04:65:2d:8e:08:00 SRC=192.168.111.249 DST=192.168.111.104 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=37530 PROTO=UDP SPT=1690 DPT=27015 LEN=108

ИЗМЕНИТЬ

Если целью является НЕ быть адресом источника IP-адреса , то предлагается вариант 2 ниже. Он использует опцию --mask с маской 0.0.0.0, чтобы сделать критерии DROP не относящимися к IP-адресу источника. Однако тогда критерии DROP должны включать исходные условия, поскольку IP-адрес больше не является полезным идентификатором плохого парня: 

#!/bin/sh
FWVER=0.02
#
# gamer-cs iptables rule example. Smythies 2017.09.14 Ver:0.02
#     use the --mask option to eliminate any specific IP address.
#     However, then only DROP packets that meet the criteria,
#     otherwise a mess will occur.
#
# gamer-cs iptables rule example. Smythies 2017.09.13 Ver:0.01
#     Protocl: UDP
#     Destination port: 27015
#     Length: 100 payload. The UDP header is always 8 bytes in length.
#                 The IP header is typically 20 bytes but can be longer.
#
#     Banning is a two step process, using the recent module,
#     and can then ban for any desired time.
#
#     Probably needs to be combined with the bigger context of other rules.
#
#     See also:
#     https://askubuntu.com/questions/955425/allow-x-packets-per-second-with-same-data-length-iptables
#            And other questions from gamer-cs.
#
#     https://askubuntu.com/questions/818524/correctly-limit-ip-connections
#     https://chat.stackexchange.com/transcript/51426/2017/1/9
#
#     run as sudo
#

echo "Loading gamer-cs rule example version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

# Some definitions.
# Some of these are for the Smythies test computer. Change as required.
# The external interface name:
EXTIF="enp9s0"
# The external IP address
EXTIP="192.168.111.104"
# Obvious
PORT_TO_CHECK="27015"
UNIVERSE="0.0.0.0/0"

#Clearing any previous configuration
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Otherwise, I can not seem to delete it later on
$IPTABLES -F ADD_TO_LIST
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z

#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# ADD_TO_LIST
# Called from the rate checker.
# Add the IP/0 address to the bad guy list, and DROP the packet.
# If desired, comment out the log rule.
# Rate limit the logging.
$IPTABLES -N ADD_TO_LIST
$IPTABLES -A ADD_TO_LIST -m recent --mask 0.0.0.0 --set --name BADGUY_LIST
$IPTABLES -A ADD_TO_LIST -m limit --limit 3/m --limit-burst 2 -j LOG --log-prefix "BAD_ADD:" --log-level info
$IPTABLES -A ADD_TO_LIST -j DROP


# I (Smythies) need the following rule to prevent my ssh sessions from being locked out
# while testing/debugging
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Other INPUT chain rules might be needed before this, not sure.
#
# If there has been any actitivity on the bad guy list in the timeout time, then DROP any packet that meets the crieria. Limit logging (If desired, comment out the log rule).
$IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m limit --limit 3/m --limit-burst 2 -m recent --mask 0.0.0.0 --rcheck --hitcount 1 --seconds 3600 --name BADGUY_LIST -j LOG --log-prefix "BAD GUY:" --log-level info
$IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --mask 0.0.0.0 --update --hitcount 1 --seconds 3600 --name BADGUY_LIST -j DROP
# Do the actual rate limiting check
$IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --mask 0.0.0.0 --update --hitcount 10 --seconds 1 --name BAD_OR_NOT -j ADD_TO_LIST
$IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --mask 0.0.0.0 --set --name BAD_OR_NOT -j ACCEPT
# O.K. at this point, carry on with other INPUT chain rules.

echo "gamer-cs rule example version $FWVER done.\n"
0
ответ дан 22 May 2018 в 18:31
  • 1
    Спасибо за вашу помощь. Но у меня есть некоторые проблемы с запуском этого скрипта. Я поместил его в файл и сохранил его как test.sh, а затем загрузил в мой / root, а затем попытался запустить с помощью ./test.sh, но не работал. Так как его запустить? И что эти вещи: EXTIF, EXTIP, UNIVERSE? – gamer-cs 14 September 2017 в 19:59
  • 2
    Если я понимаю, что этот скрипт работает так: если один ip отправляет более 10 пакетов / сек с общей длиной 128, его ip будет заблокирован и все пакеты будут поступать из этого ip? – gamer-cs 14 September 2017 в 20:04
  • 3
    1: Хорошо, как говорится в комментарии, для моего тестового компьютера они настроены (для UNIX) для вашего компьютера. Вы должны использовать sudo (упомянутый в комментариях заголовка), поэтому sudo ./test.sh 2: Да, в течение часа. Любой пакет в этот час сбрасывает таймер. – Doug Smythies 14 September 2017 в 20:44
  • 4
    Я предоставляю разрешение на выполнение для этого файла, а затем попробую запустить его, используя команду, которую вы сказали, но я получаю это sudo: unable to execute ./test.sh: No such file or directory Hangup – gamer-cs 14 September 2017 в 22:32
  • 5
    Хорошо, мне удалось исправить это отсюда: unix.stackexchange.com/questions/144718/… Просто я использовал эти 3 команды: sudo apt-get install dos2unix -y dos2unix test.sh sudo chmod u+x test.sh && sudo ./test.sh Но получите это `iptables: No chain / target / совпадение по этому имени. ` – gamer-cs 14 September 2017 в 22:39

Используя последний модуль iptables, в двухэтапном процессе можно обнаружить 10 в секунду, а затем установить более длительное время запрета. Для этого был создан сценарий:

#!/bin/sh FWVER=0.01 # # gamer-cs iptables rule example. Smythies 2017.09.13 Ver:0.01 # Protocl: UDP # Destination port: 27015 # Length: 100 payload. The UDP header is always 8 bytes in length. # The IP header is typically 20 bytes but can be longer. # # Ban by IP or ban all?: # Ban by IP via a two step process, can ban for any desired time. # Ban all can use the built in rate limit stuff, but then the ban # time can not exceed the rate limit window and it has a tendency # to block legitamite users. # # Probably needs to be combined with the bigger context of other rules. # # See also: # https://askubuntu.com/questions/955425/allow-x-packets-per-second-with-same-data-length-iptables # And other questions from gamer-cs. # # https://askubuntu.com/questions/818524/correctly-limit-ip-connections # https://chat.stackexchange.com/transcript/51426/2017/1/9 # # run as sudo # echo "Loading gamer-cs rule example version $FWVER..\n" # The location of the iptables program # IPTABLES=/sbin/iptables # Some definitions. # Some of these are for the Smythies test computer. Change as required. EXTIF="enp9s0" EXTIP="192.168.111.104" PORT_TO_CHECK="27015" UNIVERSE="0.0.0.0/0" #Clearing any previous configuration # echo " Clearing any existing rules and setting default policies.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD ACCEPT $IPTABLES -F FORWARD # Otherwise, I can not seem to delete it later on $IPTABLES -F ADD_TO_LIST # Delete user defined chains $IPTABLES -X # Reset all IPTABLES counters $IPTABLES -Z ####################################################################### # USER DEFINED CHAIN SUBROUTINES: # # ADD_TO_LIST # Called from the rate checker. # Add the IP address to the bad guy list, and DROP the packet. # If desired, comment out the log rule. # Rate limit the logging. $IPTABLES -N ADD_TO_LIST $IPTABLES -A ADD_TO_LIST -m recent --set --name BADGUY_LIST $IPTABLES -A ADD_TO_LIST -m limit --limit 3/m --limit-burst 2 -j LOG --log-prefix "BAD_ADD:" --log-level info $IPTABLES -A ADD_TO_LIST -j DROP # I (Smythies) need the following rule to prevent my ssh sessions from being locked out # while testing/debugging # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT # Other INPUT chain rules might be needed before this, not sure. # # If on the bad guy list, then drop regardless. Limit logging (If desired, comment out the log rule). $IPTABLES -A INPUT -i $EXTIF -m limit --limit 3/m --limit-burst 2 -m recent --rcheck --hitcount 1 --seconds 3600 --name BADGUY_LIST -j LOG --log-prefix "BAD GUY:" --log-level info $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 3600 --name BADGUY_LIST -j DROP # Do the actual rate limiting check $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --update --hitcount 10 --seconds 1 --name BAD_OR_NOT -j ADD_TO_LIST $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --set --name BAD_OR_NOT -j ACCEPT # O.K. at this point, carry on with other INPUT chain rules. echo "gamer-cs rule example version $FWVER done.\n"

Тестирование проводилось с использованием hping3 с другого компьютера. Во-первых:

sudo hping3 --quiet -c 50 --udp --data 100 --destport 27015 --interval u101000 --spoof 192.168.111.249 192.168.111.104

Отправленные пакеты под пределом скорости 10 на секунду. Исходный IP был подделан, чтобы предотвратить блокирование моего реального IP-адреса. Результат (подсказка: точно так, как ожидалось):

$ sudo iptables -v -x -n -L Chain INPUT (policy ACCEPT 10 packets, 984 bytes) pkts bytes target prot opt in out source destination 37 2152 ACCEPT all -- enp9s0 * 0.0.0.0/0 192.168.111.104 state RELATED,ESTABLISHED 0 0 LOG all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 2 recent: CHECK seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "BAD GUY:" 0 0 DROP all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 0 0 ADD_TO_LIST udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: UPDATE seconds: 1 hit_count: 10 name: BAD_OR_NOT side: source mask: 255.255.255.255 50 6400 ACCEPT udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: SET name: BAD_OR_NOT side: source mask: 255.255.255.255 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 57 packets, 8528 bytes) pkts bytes target prot opt in out source destination Chain ADD_TO_LIST (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BADGUY_LIST side: source mask: 255.255.255.255 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 2 LOG flags 0 level 6 prefix "BAD_GUY:" 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Второе:

sudo hping3 --quiet -c 50 --udp --data 100 --destport 27015 --interval u98000 --spoof 192.168.111.249 192.168.111.104

Отправлено пакетов чуть более 10 в секунду. Результат (подсказка: точно так, как ожидалось):

$ sudo iptables -v -x -n -L Chain INPUT (policy ACCEPT 16 packets, 1798 bytes) pkts bytes target prot opt in out source destination 55 7648 ACCEPT all -- enp9s0 * 0.0.0.0/0 192.168.111.104 state RELATED,ESTABLISHED 0 0 LOG all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 2 recent: CHECK seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "BAD GUY:" 39 4992 DROP all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 1 128 ADD_TO_LIST udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: UPDATE seconds: 1 hit_count: 10 name: BAD_OR_NOT side: source mask: 255.255.255.255 60 7680 ACCEPT udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: SET name: BAD_OR_NOT side: source mask: 255.255.255.255 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 86 packets, 13585 bytes) pkts bytes target prot opt in out source destination Chain ADD_TO_LIST (1 references) pkts bytes target prot opt in out source destination 1 128 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BADGUY_LIST side: source mask: 255.255.255.255 1 128 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 2 LOG flags 0 level 6 prefix "BAD_GUY:" 1 128 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

В-третьих:

$ sudo hping3 --quiet -c 50 --udp --data 100 --destport 27015 --interval 5 --spoof 192.168.111.249 192.168.111.104

Проверьте ограниченное ведение журнала с использованием медленной скорости передачи пакетов, ранее инициировав правило блокировки. Результат:

$ sudo iptables -v -x -n -L Chain INPUT (policy ACCEPT 36 packets, 2671 bytes) pkts bytes target prot opt in out source destination 129 7848 ACCEPT all -- enp9s0 * 0.0.0.0/0 192.168.111.104 state RELATED,ESTABLISHED 10 1280 LOG all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 2 recent: CHECK seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "BAD GUY:" 89 11392 DROP all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 1 128 ADD_TO_LIST udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: UPDATE seconds: 1 hit_count: 10 name: BAD_OR_NOT side: source mask: 255.255.255.255 60 7680 ACCEPT udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: SET name: BAD_OR_NOT side: source mask: 255.255.255.255 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 208 packets, 31104 bytes) pkts bytes target prot opt in out source destination Chain ADD_TO_LIST (1 references) pkts bytes target prot opt in out source destination 1 128 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BADGUY_LIST side: source mask: 255.255.255.255 1 128 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 2 LOG flags 0 level 6 prefix "BAD_ADD:" 1 128 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Последние несколько связанных записей /var/log/syslog:

Sep 14 08:52:29 cyd-hp2 kernel: [778611.743160] BAD GUY:IN=enp9s0 OUT= MAC=00:26:9e:90:10:8d:f4:6d:04:65:2d:8e:08:00 SRC=192.168.111.249 DST=192.168.111.104 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=16043 PROTO=UDP SPT=1682 DPT=27015 LEN=108 Sep 14 08:52:49 cyd-hp2 kernel: [778631.742076] BAD GUY:IN=enp9s0 OUT= MAC=00:26:9e:90:10:8d:f4:6d:04:65:2d:8e:08:00 SRC=192.168.111.249 DST=192.168.111.104 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=41223 PROTO=UDP SPT=1686 DPT=27015 LEN=108 Sep 14 08:53:09 cyd-hp2 kernel: [778651.741012] BAD GUY:IN=enp9s0 OUT= MAC=00:26:9e:90:10:8d:f4:6d:04:65:2d:8e:08:00 SRC=192.168.111.249 DST=192.168.111.104 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=37530 PROTO=UDP SPT=1690 DPT=27015 LEN=108

ИЗМЕНИТЬ

Если целью является НЕ быть адресом источника IP-адреса , то предлагается вариант 2 ниже. Он использует опцию --mask с маской 0.0.0.0, чтобы сделать критерии DROP не относящимися к IP-адресу источника. Однако тогда критерии DROP должны включать исходные условия, поскольку IP-адрес больше не является полезным идентификатором плохого парня:

#!/bin/sh FWVER=0.02 # # gamer-cs iptables rule example. Smythies 2017.09.14 Ver:0.02 # use the --mask option to eliminate any specific IP address. # However, then only DROP packets that meet the criteria, # otherwise a mess will occur. # # gamer-cs iptables rule example. Smythies 2017.09.13 Ver:0.01 # Protocl: UDP # Destination port: 27015 # Length: 100 payload. The UDP header is always 8 bytes in length. # The IP header is typically 20 bytes but can be longer. # # Banning is a two step process, using the recent module, # and can then ban for any desired time. # # Probably needs to be combined with the bigger context of other rules. # # See also: # https://askubuntu.com/questions/955425/allow-x-packets-per-second-with-same-data-length-iptables # And other questions from gamer-cs. # # https://askubuntu.com/questions/818524/correctly-limit-ip-connections # https://chat.stackexchange.com/transcript/51426/2017/1/9 # # run as sudo # echo "Loading gamer-cs rule example version $FWVER..\n" # The location of the iptables program # IPTABLES=/sbin/iptables # Some definitions. # Some of these are for the Smythies test computer. Change as required. # The external interface name: EXTIF="enp9s0" # The external IP address EXTIP="192.168.111.104" # Obvious PORT_TO_CHECK="27015" UNIVERSE="0.0.0.0/0" #Clearing any previous configuration # echo " Clearing any existing rules and setting default policies.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD ACCEPT $IPTABLES -F FORWARD # Otherwise, I can not seem to delete it later on $IPTABLES -F ADD_TO_LIST # Delete user defined chains $IPTABLES -X # Reset all IPTABLES counters $IPTABLES -Z ####################################################################### # USER DEFINED CHAIN SUBROUTINES: # # ADD_TO_LIST # Called from the rate checker. # Add the IP/0 address to the bad guy list, and DROP the packet. # If desired, comment out the log rule. # Rate limit the logging. $IPTABLES -N ADD_TO_LIST $IPTABLES -A ADD_TO_LIST -m recent --mask 0.0.0.0 --set --name BADGUY_LIST $IPTABLES -A ADD_TO_LIST -m limit --limit 3/m --limit-burst 2 -j LOG --log-prefix "BAD_ADD:" --log-level info $IPTABLES -A ADD_TO_LIST -j DROP # I (Smythies) need the following rule to prevent my ssh sessions from being locked out # while testing/debugging # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT # Other INPUT chain rules might be needed before this, not sure. # # If there has been any actitivity on the bad guy list in the timeout time, then DROP any packet that meets the crieria. Limit logging (If desired, comment out the log rule). $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m limit --limit 3/m --limit-burst 2 -m recent --mask 0.0.0.0 --rcheck --hitcount 1 --seconds 3600 --name BADGUY_LIST -j LOG --log-prefix "BAD GUY:" --log-level info $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --mask 0.0.0.0 --update --hitcount 1 --seconds 3600 --name BADGUY_LIST -j DROP # Do the actual rate limiting check $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --mask 0.0.0.0 --update --hitcount 10 --seconds 1 --name BAD_OR_NOT -j ADD_TO_LIST $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --mask 0.0.0.0 --set --name BAD_OR_NOT -j ACCEPT # O.K. at this point, carry on with other INPUT chain rules. echo "gamer-cs rule example version $FWVER done.\n"
0
ответ дан 18 July 2018 в 06:56

Используя последний модуль iptables, в двухэтапном процессе можно обнаружить 10 в секунду, а затем установить более длительное время запрета. Для этого был создан сценарий:

#!/bin/sh FWVER=0.01 # # gamer-cs iptables rule example. Smythies 2017.09.13 Ver:0.01 # Protocl: UDP # Destination port: 27015 # Length: 100 payload. The UDP header is always 8 bytes in length. # The IP header is typically 20 bytes but can be longer. # # Ban by IP or ban all?: # Ban by IP via a two step process, can ban for any desired time. # Ban all can use the built in rate limit stuff, but then the ban # time can not exceed the rate limit window and it has a tendency # to block legitamite users. # # Probably needs to be combined with the bigger context of other rules. # # See also: # https://askubuntu.com/questions/955425/allow-x-packets-per-second-with-same-data-length-iptables # And other questions from gamer-cs. # # https://askubuntu.com/questions/818524/correctly-limit-ip-connections # https://chat.stackexchange.com/transcript/51426/2017/1/9 # # run as sudo # echo "Loading gamer-cs rule example version $FWVER..\n" # The location of the iptables program # IPTABLES=/sbin/iptables # Some definitions. # Some of these are for the Smythies test computer. Change as required. EXTIF="enp9s0" EXTIP="192.168.111.104" PORT_TO_CHECK="27015" UNIVERSE="0.0.0.0/0" #Clearing any previous configuration # echo " Clearing any existing rules and setting default policies.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD ACCEPT $IPTABLES -F FORWARD # Otherwise, I can not seem to delete it later on $IPTABLES -F ADD_TO_LIST # Delete user defined chains $IPTABLES -X # Reset all IPTABLES counters $IPTABLES -Z ####################################################################### # USER DEFINED CHAIN SUBROUTINES: # # ADD_TO_LIST # Called from the rate checker. # Add the IP address to the bad guy list, and DROP the packet. # If desired, comment out the log rule. # Rate limit the logging. $IPTABLES -N ADD_TO_LIST $IPTABLES -A ADD_TO_LIST -m recent --set --name BADGUY_LIST $IPTABLES -A ADD_TO_LIST -m limit --limit 3/m --limit-burst 2 -j LOG --log-prefix "BAD_ADD:" --log-level info $IPTABLES -A ADD_TO_LIST -j DROP # I (Smythies) need the following rule to prevent my ssh sessions from being locked out # while testing/debugging # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT # Other INPUT chain rules might be needed before this, not sure. # # If on the bad guy list, then drop regardless. Limit logging (If desired, comment out the log rule). $IPTABLES -A INPUT -i $EXTIF -m limit --limit 3/m --limit-burst 2 -m recent --rcheck --hitcount 1 --seconds 3600 --name BADGUY_LIST -j LOG --log-prefix "BAD GUY:" --log-level info $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 3600 --name BADGUY_LIST -j DROP # Do the actual rate limiting check $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --update --hitcount 10 --seconds 1 --name BAD_OR_NOT -j ADD_TO_LIST $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --set --name BAD_OR_NOT -j ACCEPT # O.K. at this point, carry on with other INPUT chain rules. echo "gamer-cs rule example version $FWVER done.\n"

Тестирование проводилось с использованием hping3 с другого компьютера. Во-первых:

sudo hping3 --quiet -c 50 --udp --data 100 --destport 27015 --interval u101000 --spoof 192.168.111.249 192.168.111.104

Отправленные пакеты под пределом скорости 10 на секунду. Исходный IP был подделан, чтобы предотвратить блокирование моего реального IP-адреса. Результат (подсказка: точно так, как ожидалось):

$ sudo iptables -v -x -n -L Chain INPUT (policy ACCEPT 10 packets, 984 bytes) pkts bytes target prot opt in out source destination 37 2152 ACCEPT all -- enp9s0 * 0.0.0.0/0 192.168.111.104 state RELATED,ESTABLISHED 0 0 LOG all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 2 recent: CHECK seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "BAD GUY:" 0 0 DROP all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 0 0 ADD_TO_LIST udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: UPDATE seconds: 1 hit_count: 10 name: BAD_OR_NOT side: source mask: 255.255.255.255 50 6400 ACCEPT udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: SET name: BAD_OR_NOT side: source mask: 255.255.255.255 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 57 packets, 8528 bytes) pkts bytes target prot opt in out source destination Chain ADD_TO_LIST (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BADGUY_LIST side: source mask: 255.255.255.255 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 2 LOG flags 0 level 6 prefix "BAD_GUY:" 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Второе:

sudo hping3 --quiet -c 50 --udp --data 100 --destport 27015 --interval u98000 --spoof 192.168.111.249 192.168.111.104

Отправлено пакетов чуть более 10 в секунду. Результат (подсказка: точно так, как ожидалось):

$ sudo iptables -v -x -n -L Chain INPUT (policy ACCEPT 16 packets, 1798 bytes) pkts bytes target prot opt in out source destination 55 7648 ACCEPT all -- enp9s0 * 0.0.0.0/0 192.168.111.104 state RELATED,ESTABLISHED 0 0 LOG all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 2 recent: CHECK seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "BAD GUY:" 39 4992 DROP all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 1 128 ADD_TO_LIST udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: UPDATE seconds: 1 hit_count: 10 name: BAD_OR_NOT side: source mask: 255.255.255.255 60 7680 ACCEPT udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: SET name: BAD_OR_NOT side: source mask: 255.255.255.255 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 86 packets, 13585 bytes) pkts bytes target prot opt in out source destination Chain ADD_TO_LIST (1 references) pkts bytes target prot opt in out source destination 1 128 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BADGUY_LIST side: source mask: 255.255.255.255 1 128 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 2 LOG flags 0 level 6 prefix "BAD_GUY:" 1 128 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

В-третьих:

$ sudo hping3 --quiet -c 50 --udp --data 100 --destport 27015 --interval 5 --spoof 192.168.111.249 192.168.111.104

Проверьте ограниченное ведение журнала с использованием медленной скорости передачи пакетов, ранее инициировав правило блокировки. Результат:

$ sudo iptables -v -x -n -L Chain INPUT (policy ACCEPT 36 packets, 2671 bytes) pkts bytes target prot opt in out source destination 129 7848 ACCEPT all -- enp9s0 * 0.0.0.0/0 192.168.111.104 state RELATED,ESTABLISHED 10 1280 LOG all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 2 recent: CHECK seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "BAD GUY:" 89 11392 DROP all -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 3600 hit_count: 1 name: BADGUY_LIST side: source mask: 255.255.255.255 1 128 ADD_TO_LIST udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: UPDATE seconds: 1 hit_count: 10 name: BAD_OR_NOT side: source mask: 255.255.255.255 60 7680 ACCEPT udp -- enp9s0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 length 128 recent: SET name: BAD_OR_NOT side: source mask: 255.255.255.255 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 208 packets, 31104 bytes) pkts bytes target prot opt in out source destination Chain ADD_TO_LIST (1 references) pkts bytes target prot opt in out source destination 1 128 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BADGUY_LIST side: source mask: 255.255.255.255 1 128 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 2 LOG flags 0 level 6 prefix "BAD_ADD:" 1 128 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Последние несколько связанных записей /var/log/syslog:

Sep 14 08:52:29 cyd-hp2 kernel: [778611.743160] BAD GUY:IN=enp9s0 OUT= MAC=00:26:9e:90:10:8d:f4:6d:04:65:2d:8e:08:00 SRC=192.168.111.249 DST=192.168.111.104 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=16043 PROTO=UDP SPT=1682 DPT=27015 LEN=108 Sep 14 08:52:49 cyd-hp2 kernel: [778631.742076] BAD GUY:IN=enp9s0 OUT= MAC=00:26:9e:90:10:8d:f4:6d:04:65:2d:8e:08:00 SRC=192.168.111.249 DST=192.168.111.104 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=41223 PROTO=UDP SPT=1686 DPT=27015 LEN=108 Sep 14 08:53:09 cyd-hp2 kernel: [778651.741012] BAD GUY:IN=enp9s0 OUT= MAC=00:26:9e:90:10:8d:f4:6d:04:65:2d:8e:08:00 SRC=192.168.111.249 DST=192.168.111.104 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=37530 PROTO=UDP SPT=1690 DPT=27015 LEN=108

ИЗМЕНИТЬ

Если целью является НЕ быть адресом источника IP-адреса , то предлагается вариант 2 ниже. Он использует опцию --mask с маской 0.0.0.0, чтобы сделать критерии DROP не относящимися к IP-адресу источника. Однако тогда критерии DROP должны включать исходные условия, поскольку IP-адрес больше не является полезным идентификатором плохого парня:

#!/bin/sh FWVER=0.02 # # gamer-cs iptables rule example. Smythies 2017.09.14 Ver:0.02 # use the --mask option to eliminate any specific IP address. # However, then only DROP packets that meet the criteria, # otherwise a mess will occur. # # gamer-cs iptables rule example. Smythies 2017.09.13 Ver:0.01 # Protocl: UDP # Destination port: 27015 # Length: 100 payload. The UDP header is always 8 bytes in length. # The IP header is typically 20 bytes but can be longer. # # Banning is a two step process, using the recent module, # and can then ban for any desired time. # # Probably needs to be combined with the bigger context of other rules. # # See also: # https://askubuntu.com/questions/955425/allow-x-packets-per-second-with-same-data-length-iptables # And other questions from gamer-cs. # # https://askubuntu.com/questions/818524/correctly-limit-ip-connections # https://chat.stackexchange.com/transcript/51426/2017/1/9 # # run as sudo # echo "Loading gamer-cs rule example version $FWVER..\n" # The location of the iptables program # IPTABLES=/sbin/iptables # Some definitions. # Some of these are for the Smythies test computer. Change as required. # The external interface name: EXTIF="enp9s0" # The external IP address EXTIP="192.168.111.104" # Obvious PORT_TO_CHECK="27015" UNIVERSE="0.0.0.0/0" #Clearing any previous configuration # echo " Clearing any existing rules and setting default policies.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD ACCEPT $IPTABLES -F FORWARD # Otherwise, I can not seem to delete it later on $IPTABLES -F ADD_TO_LIST # Delete user defined chains $IPTABLES -X # Reset all IPTABLES counters $IPTABLES -Z ####################################################################### # USER DEFINED CHAIN SUBROUTINES: # # ADD_TO_LIST # Called from the rate checker. # Add the IP/0 address to the bad guy list, and DROP the packet. # If desired, comment out the log rule. # Rate limit the logging. $IPTABLES -N ADD_TO_LIST $IPTABLES -A ADD_TO_LIST -m recent --mask 0.0.0.0 --set --name BADGUY_LIST $IPTABLES -A ADD_TO_LIST -m limit --limit 3/m --limit-burst 2 -j LOG --log-prefix "BAD_ADD:" --log-level info $IPTABLES -A ADD_TO_LIST -j DROP # I (Smythies) need the following rule to prevent my ssh sessions from being locked out # while testing/debugging # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT # Other INPUT chain rules might be needed before this, not sure. # # If there has been any actitivity on the bad guy list in the timeout time, then DROP any packet that meets the crieria. Limit logging (If desired, comment out the log rule). $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m limit --limit 3/m --limit-burst 2 -m recent --mask 0.0.0.0 --rcheck --hitcount 1 --seconds 3600 --name BADGUY_LIST -j LOG --log-prefix "BAD GUY:" --log-level info $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --mask 0.0.0.0 --update --hitcount 1 --seconds 3600 --name BADGUY_LIST -j DROP # Do the actual rate limiting check $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --mask 0.0.0.0 --update --hitcount 10 --seconds 1 --name BAD_OR_NOT -j ADD_TO_LIST $IPTABLES -A INPUT -i $EXTIF --protocol udp --destination-port $PORT_TO_CHECK -m length --length 128 -m recent --mask 0.0.0.0 --set --name BAD_OR_NOT -j ACCEPT # O.K. at this point, carry on with other INPUT chain rules. echo "gamer-cs rule example version $FWVER done.\n"
0
ответ дан 24 July 2018 в 18:42

Похоже, вам нужно следовать этому руководству:

sudo iptables -A OUTPUT -j REJECT sudo iptables -A OUTPUT -m limit --limit X/s -j ACCEPT
0
ответ дан 22 May 2018 в 18:31
  • 1
    Это не так, о чем я говорю. Где длина полезной нагрузки или общий пакет здесь? – gamer-cs 13 September 2017 в 19:57

Похоже, вам нужно следовать этому руководству:

sudo iptables -A OUTPUT -j REJECT sudo iptables -A OUTPUT -m limit --limit X/s -j ACCEPT
0
ответ дан 18 July 2018 в 06:56

Похоже, вам нужно следовать этому руководству:

sudo iptables -A OUTPUT -j REJECT sudo iptables -A OUTPUT -m limit --limit X/s -j ACCEPT
0
ответ дан 24 July 2018 в 18:42
  • 1
    Это не так, о чем я говорю. Где длина полезной нагрузки или общий пакет здесь? – gamer-cs 13 September 2017 в 19:57

Другие вопросы по тегам:

Похожие вопросы: