使用 iptables 限制数据包大小

Question

这将执行您所要求的操作（更改您的计算机的接口名称）：

doug@s19:~/iptables/misc$ cat length-limit
#!/bin/sh
FWVER=0.01
#
# length-limit 2022.08.07 Ver:0.01
#       test packet length syntax
#       For a test.
#       see also ask 1422353.
#
echo "length-limit packets. $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

# Set some stuff
# Adjust these values for your system.
#
EXTIF="br0"
UNIVERSE="0.0.0.0/0"
LAN="192.168.111.0/24"

# Clear old INPUT table rules
#
$IPTABLES -F INPUT

# Check the BAD GUY list for already banned IPs:
# Use a short timeout for testing, but suggest longer for real use.
# Consider using a bit mask here, as often bad guys just move to a different IP on the same subnet.
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 30 --name BADGUY_LONG -j DROP

# Not sure the max payload length, but it is 16 bits, so try 65535.
# And if one tries 65536 the below error is generated:
# iptables v1.8.4 (nf_tables): length: bad value for option "--length" near "65536", or out of range (0-65535).
$IPTABLES -A INPUT -i $EXTIF -m length --length 1500:65535 -m recent --set --name BADGUY_LONG -j DROP

其结果是：

doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       3     4498 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 30 hit_count: 1 name: BADGUY_LONG side: source mask: 255.255.255.255
       1     1500 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            length 1500:65535 recent: SET name: BADGUY_LONG side: source mask: 255.255.255.255

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

我在另一台计算机上用以下命令对其进行了测试：

doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1471 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1471(1499) bytes of data.
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=1 ttl=64 time=0.545 ms
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=2 ttl=64 time=0.575 ms

--- s19.smythies.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1028ms
rtt min/avg/max/mdev = 0.545/0.560/0.575/0.015 ms
doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1472 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1472(1500) bytes of data.

--- s19.smythies.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1014ms

doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1471 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1471(1499) bytes of data.

--- s19.smythies.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1028ms

doug@s15:~/diag/tcpdump/captures/035$ sleep 30
doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1471 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1471(1499) bytes of data.
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=1 ttl=64 time=0.573 ms
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=2 ttl=64 time=0.529 ms

--- s19.smythies.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.529/0.551/0.573/0.022 ms

Answer 1

这将执行您所要求的操作（更改您的计算机的接口名称）：

doug@s19:~/iptables/misc$ cat length-limit
#!/bin/sh
FWVER=0.01
#
# length-limit 2022.08.07 Ver:0.01
#       test packet length syntax
#       For a test.
#       see also ask 1422353.
#
echo "length-limit packets. $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

# Set some stuff
# Adjust these values for your system.
#
EXTIF="br0"
UNIVERSE="0.0.0.0/0"
LAN="192.168.111.0/24"

# Clear old INPUT table rules
#
$IPTABLES -F INPUT

# Check the BAD GUY list for already banned IPs:
# Use a short timeout for testing, but suggest longer for real use.
# Consider using a bit mask here, as often bad guys just move to a different IP on the same subnet.
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 30 --name BADGUY_LONG -j DROP

# Not sure the max payload length, but it is 16 bits, so try 65535.
# And if one tries 65536 the below error is generated:
# iptables v1.8.4 (nf_tables): length: bad value for option "--length" near "65536", or out of range (0-65535).
$IPTABLES -A INPUT -i $EXTIF -m length --length 1500:65535 -m recent --set --name BADGUY_LONG -j DROP

其结果是：

doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       3     4498 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 30 hit_count: 1 name: BADGUY_LONG side: source mask: 255.255.255.255
       1     1500 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            length 1500:65535 recent: SET name: BADGUY_LONG side: source mask: 255.255.255.255

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

我在另一台计算机上用以下命令对其进行了测试：

doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1471 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1471(1499) bytes of data.
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=1 ttl=64 time=0.545 ms
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=2 ttl=64 time=0.575 ms

--- s19.smythies.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1028ms
rtt min/avg/max/mdev = 0.545/0.560/0.575/0.015 ms
doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1472 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1472(1500) bytes of data.

--- s19.smythies.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1014ms

doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1471 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1471(1499) bytes of data.

--- s19.smythies.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1028ms

doug@s15:~/diag/tcpdump/captures/035$ sleep 30
doug@s15:~/diag/tcpdump/captures/035$ ping -c 2 -s 1471 s19
ping: socket: Address family not supported by protocol
PING s19.smythies.com (192.168.111.136) 1471(1499) bytes of data.
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=1 ttl=64 time=0.573 ms
1479 bytes from s19.smythies.com (192.168.111.136): icmp_seq=2 ttl=64 time=0.529 ms

--- s19.smythies.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.529/0.551/0.573/0.022 ms

使用 iptables 限制数据包大小

答案1

相关内容