[RndTbl] Bizarre netfilter behaviour
Trevor Cordes
trevor at tecnopolis.ca
Sat Jan 21 02:41:58 CST 2012
On 2012-01-11 John Lange wrote:
>
> iptables -A input_ext -m limit --limit 3/min -m conntrack --ctstate
> NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options
> --log-ip-options
>
> In short, limit to 3 new connections per minute.
Better late than never... here's my 2c (I'd consider myself a netfilter
wizard, toot toot)
If the rules mostly work except for the small limits, just up the limit
for that 1 rule. Set it to like 100-1000 should be ok and still stop
floods. If this box is behind a firewall (ie: not exposed to the
internet) then deleting the rule completely should be safe.
> It seems like netfilter blocked the ip on the rate limit rule and now
> its "stuck".
Nah, it doesn't do that. As soon as you flush the rules, they are
gone. Any conntrack remaining would timeout and disappear as a
limitation. Must be something else.
I would strongly suspect that your default policies are set to DROP?
You could try setting them to ACCEPT. Dan Martin's script had this
near the end.
If you're still stuck, send your output from:
iptables -L -n -v
More information about the Roundtable
mailing list