Limit module, counters reset on ANY changes
Tomas Edwardsson
tommi@hp.is
Fri, 12 Apr 2002 13:55:46 +0000
I have been told that this is the intended behaviour of netfilter but
I still need to fix it and I am wondering if someone has a patch
or can point me in the general direction on how to change the behaviour
explained in this mail.
-----------------------------------------------------------------------------------
# Normal
#
[tommi@localhost tommi]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP Sendmail 8.11.6/8.11.6; Fri, 12 Apr 2002 13:44:02 GMT
-----------------------------------------------------------------------------------
# More normal behaviour
#
[root@localhost root]# iptables -F
[root@localhost root]# iptables -A INPUT -p tcp --syn --dport 25 -j REJECT
[root@localhost root]# telnet localhost 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
-----------------------------------------------------------------------------------
# Now I'm gonna allow one mail per day to get delivered.
#
[root@localhost root]# iptables -I INPUT -p tcp --syn -m limit --limit '1/day' --limit-burst 1 --dport 25 -j ACCEPT
[root@localhost root]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP Sendmail 8.11.6/8.11.6; Fri, 12 Apr 2002 13:50:03 GMT
quit
221 2.0.0 localhost closing connection
Connection closed by foreign host.
[root@localhost root]# telnet localhost 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
-----------------------------------------------------------------------------------
# NOW FOR THE PUNCHLINE
# Please note that I'm adding a rule to allow TCP connection to port 53
# BUT I'm doing a telnet connection to port 25, now why does this rule
# open for another connection to port 25 ? (mysterious).
#
[root@localhost root]# iptables -I INPUT -p tcp --dport 53 -j ACCEPT
[root@localhost root]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP Sendmail 8.11.6/8.11.6; Fri, 12 Apr 2002 13:51:53 GMT
-----------------------------------------------------------------------------------
# Weird, here's the state of my tables:
[root@localhost root]# iptables -L -v -n
Chain INPUT (policy ACCEPT 927 packets, 97820 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02 limit: avg 1/day burst 1
15 900 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02 reject-with icmp-port-unreachable
- Tomas Edwardsson
- Unix Support