Limit getting reset
Tomas Edwardsson
tommi@tommi.org
Thu, 26 Jul 2001 16:58:32 +0000
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi
I'm having problems with the limit module. What I have been doing is
setting "--limit 1/day --limit-burst 1 --syn" so that only one connection
should get through ideally. This works completely.
The real problem is that I set a limit, then someone connects through it
and it works. But later I have to set a new rule for a different user
and it goes in, but the limit for the rule I set before is reset. I
have a comprehensive demo on how this happens in the attached file
including my version of linux (2.4.7) and iptables (1.2.2). Any help
is greatly appreciated. Thanks.
- Tomas Edwardsson
- Linux/Unix Support
- Opin Kerfi
- Iceland
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="limit-demo.txt"
Content-Transfer-Encoding: 8bit
[root@fw-node31 iptables]# iptables -L -vn
Chain INPUT (policy ACCEPT 63 packets, 6422 bytes)
pkts bytes target prot opt in out source destination
54 3398 ONE_TIME all -- * * 0.0.0.0/0 0.0.0.0/0
4 240 REJECT tcp -- * * 127.0.0.1 127.0.0.1 state INVALID,NEW tcp dpt:25 reject-with icmp-port-unreachable
0 0 LOG all -- eth0 * !10.0.0.0/8 10.193.2.28 state INVALID,NEW LOG flags 0 level 4 prefix `FF Rejected '
0 0 REJECT all -- eth0 * !10.0.0.0/8 10.193.2.28 state INVALID,NEW reject-with icmp-proto-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 55 packets, 3606 bytes)
pkts bytes target prot opt in out source destination
Chain ONE_TIME (1 references)
pkts bytes target prot opt in out source destination
[root@fw-node31 iptables]# telnet localhost 25
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[root@fw-node31 iptables]# iptables -A ONE_TIME -m limit -j ACCEPT -p tcp --syn --limit 1/day --limit-burst 1 -s 127.0.0.1 -d 127.0.0.1 --destination-port 25
[root@fw-node31 iptables]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 fw-node31.tommi.org ESMTP Sendmail 8.11.2/8.11.2; Thu, 26 Jul 2001 16:46:05 GMT
quit
221 2.0.0 fw-node31.tommi.org closing connection
Connection closed by foreign host.
[root@fw-node31 iptables]# telnet localhost 25
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[root@fw-node31 iptables]# iptables -A ONE_TIME -m limit -j ACCEPT -p tcp --syn --limit 1/day --limit-burst 1 -s 127.0.0.1 -d 127.0.0.1 --destination-port 26
[root@fw-node31 iptables]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 fw-node31.tommi.org ESMTP Sendmail 8.11.2/8.11.2; Thu, 26 Jul 2001 16:46:19 GMT
quit
221 2.0.0 fw-node31.tommi.org closing connection
Connection closed by foreign host.
[root@fw-node31 iptables]# iptables -L -vn
Chain INPUT (policy ACCEPT 111 packets, 9460 bytes)
pkts bytes target prot opt in out source destination
108 6796 ONE_TIME all -- * * 0.0.0.0/0 0.0.0.0/0
8 480 REJECT tcp -- * * 127.0.0.1 127.0.0.1 state INVALID,NEW tcp dpt:25 reject-with icmp-port-unreachable
0 0 LOG all -- eth0 * !10.0.0.0/8 10.193.2.28 state INVALID,NEW LOG flags 0 level 4 prefix `FF Rejected '
0 0 REJECT all -- eth0 * !10.0.0.0/8 10.193.2.28 state INVALID,NEW reject-with icmp-proto-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 108 packets, 7004 bytes)
pkts bytes target prot opt in out source destination
Chain ONE_TIME (1 references)
pkts bytes target prot opt in out source destination
2 120 ACCEPT tcp -- * * 127.0.0.1 127.0.0.1 limit: avg 1/day burst 1 tcp dpt:25 flags:0x16/0x02
0 0 ACCEPT tcp -- * * 127.0.0.1 127.0.0.1 limit: avg 1/day burst 1 tcp dpt:26 flags:0x16/0x02
[root@fw-node31 iptables]# uname -a
Linux fw-node31.tommi.org 2.4.7 #2 Fim Júl 26 16:03:05 GMT 2001 i686 unknown
[root@fw-node31 iptables]# iptables --version
iptables v1.2.2
[root@fw-node31 iptables]#
--2oS5YaxWCcQjTEyO--