limit match bug
Olivier Baudron
Olivier.Baudron@ens.fr
Wed, 05 Jul 2000 20:28:34 +0200
I have iptables-1.1.0.
On my PC, I want to filter everything except the ssh port. I also want to limit
the rate of syn-flood on this port since my ISP charges me for upload. So, I
have a line which reads:
iptables -A INPUT -p tcp --dport 22 --syn -m limit --limit 12/m \ --limit-burst
3 -j ACCEPT
I noticed that I could not ssh to my PC if someone syn-scanned it. What happens
is that:
1. the match is done on tcp protocol and syn flag
2. then there is a match on the limit
3. and last, there is a match on the destination port
Really, I do think that the right order should be 1-3-2. Otherwise, there is
only a global limit on all syn packet, which is not what is expected.
Of course, I resolved the problem by adding an auxiliary chain, sent tcp/22/syn
packets to it and then limit the rate in this auxiliary chain. But I really
think there is a problem on order matching which should be fixed.
Olivier.