netfilter, nat & packet floods?

Tuomas Heino iheino@cc.hut.fi
Sun, 26 Nov 2000 23:41:02 +0200 (EET)


Anyone know how to properly filter packet floods using iptables w/ nat?

>From my point of view 2.4.x:ish connection tracking seems to be quite
a bit more vulnerable to packet flooding than the 2.2.x:ish
IP Masquerading used to be (when using default configuration that is).

First we try to make both input & output flood-filtered:
iptables -t nat -I PREROUTING -j floodprot
iptables -t nat -I OUTPUT -j floodprot

For example the following rule seems to match no packets:
iptables -t nat -A floodprot -p tcp --tcp-flags ALL NONE -j DROP

(According to the documentation --tcp-flags ALL NONE should match the
so-called "Null scan", aka nmap -sN)

The following rules seem to rate-limit ping & traceroute properly:

iptables -t nat -A floodprot -p icmp --icmp-type echo-request -m limit \
 --limit 4/s ! -f -j RETURN
iptables -t nat -A floodprot -p icmp --icmp-type echo-request -j DROP
iptables -t nat -A floodprot -p udp --dport 33400:33499 --sport \
 50000:65535 -m limit --limit 4/s ! -f -j RETURN
iptables -t nat -A floodprot -p udp --dport 33400:33499 --sport \
 50000:65535 -j DROP

But is there a better (=simpler) way to do that?

Also if I happen to have a bunch of interfaces that are not supposed to
get any routing and/or nat from this box, tracking connections on them
seems to be waste of resources to me - there probably is no way to turn
connection tracking off for some interface pairs?