IPTables-规则不起作用

tag-icon tag-icon iptables centos6
IPTables-规则不起作用

我正在研究一些新规则,但目前似乎无法让它们发挥作用,我不断收到的错误是,iptables: Applying firewall rules: iptables-restore: line 36 failed这就是COMMIT

我确实移动了 COMMIT 来查看是否可以缩小问题范围,并且我认为它可能与-A LIMIT_INDIVIDUAL_CURRENT -m recent --update --seconds 300 --hitcount 200 -j DROP 有想法的人有关。

*filter
:INPUT DROP [13:672]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1604:100070]
:LIMIT_INDIVIDUAL_NEW - [0:0]
:LIMIT_INDIVIDUAL_CURRENT - [0:0]
:LIMIT_OVERALL_NEW - [0:0]
-A INPUT -i lo -j ACCEPT
#Apache
-A INPUT -p tcp --dport 80 -m state --state RELATED,ESTABLISHED -j LIMIT_INDIVIDUAL_CURRENT
-A INPUT -p tcp --dport 80 --syn -m state --state NEW -j LIMIT_INDIVIDUAL_NEW
#Teamspeak
-A INPUT -p tcp --dport 30033 -m state --state RELATED,ESTABLISHED -j LIMIT_INDIVIDUAL_CURRENT
-A INPUT -p tcp --dport 30033 --syn -m state --state NEW -j LIMIT_INDIVIDUAL_NEW
-A INPUT -p tcp --dport 10011 -m state --state RELATED,ESTABLISHED -j LIMIT_INDIVIDUAL_CURRENT
-A INPUT -p tcp --dport 10011 --syn -m state --state NEW -j LIMIT_INDIVIDUAL_NEW
-A INPUT -p udp --dport 9987 -j ACCEPT
#Iptables DoS and Slowloris mitigation
-A LIMIT_INDIVIDUAL_CURRENT -m recent --set
-A LIMIT_INDIVIDUAL_CURRENT -p tcp --tcp-flags FIN FIN -m recent --remove
-A LIMIT_INDIVIDUAL_CURRENT -m recent --update --seconds 300 --hitcount 200 -j DROP
-A LIMIT_INDIVIDUAL_CURRENT -j ACCEPT
-A LIMIT_INDIVIDUAL_NEW -m recent --set
-A LIMIT_INDIVIDUAL_NEW -m recent --update --seconds 1 --hitcount 30 -j DROP
-A LIMIT_INDIVIDUAL_NEW -j LIMIT_OVERALL_NEW
-A LIMIT_OVERALL_NEW -m limit --limit 500/second -j ACCEPT
-A LIMIT_OVERALL_NEW -j DROP
COMMIT

答案1

我尝试过这个,看来你的怀疑是正确的:

[root@risby home]# iptables -A FOO -m recent --update --seconds 300 --hitcount 200 -j DROP
iptables: Invalid argument. Run `dmesg' for more information.

[root@risby home]# dmesg|tail -1
[1141835.281122] xt_recent: hitcount (200) is larger than packets to be remembered (20)

man iptables揭示了以下内容:

   --hitcount hits
          This option must be used in conjunction with one of --rcheck or
          --update.  When used, this will narrow the match to only happen
          when the address is in the list and packets had  been  received
          greater  than  or  equal to the given value. This option may be
          used along with --seconds to  create  an  even  narrower  match
          requiring  a  certain  number  of  hits  within a specific time
          frame. The maximum value for the hitcount parameter is given by
          the "ip_pkt_list_tot" parameter of the xt_recent kernel module.
          Exceeding this value on the command line will cause the rule to
          be rejected.

因此,如果我是你,我会尝试将其删除20010如果这能解决问题(或至少保留该行),则说明你已经确定了问题所在。我strings在内核模块上运行了并查找该参数,并在其中找到了以下两个条目:

parm=ip_pkt_list_tot:number of packets per IP address to remember (max. 255)
parmtype=ip_pkt_list_tot:uint

这告诉我,这个参数可以在模块加载时设置为参数,但在任何情况下都不能超过 255。这种限制让我认为即使重新编译自己的内核也无济于事,你必须重写模块以使用多于一个字节(uint=无符号整数)的计数器;我怀疑这不会列入议程。

希望以上内容能够阐明这一问题并提出可能的补救措施。

相关内容