iptables Hashlimit Rate Not Working as Expected

connectionsfirewalliptablesrules

I wrote the following firewall rule:

iptables -A INPUT -m hashlimit –hashlimit 1/hour –hashlimit-burst 3 –hashlimit-mode srcip,dstport –hashlimit-name ssh -j ACCEPT

I was expecting the burst to be recharged by 1 after one hour but actually it is recharged by one even sooner than one minute. I am sending messages from the same source IP and same destination port, so I was expecting it to accept 3 connections and then 1 per hour. But it is accepting more (one every 20-30 seconds). If I use –limit 1/hour I can observe the expected behaviour, but I need to use hashlimit because I need to filter per srcip and dstport. What am I doing wrong?
Thank you!

Best Answer

I think you are running into expiring entries. An exempt from the manpage:

  --hashlimit-burst amount
         Maximum initial number of packets to match: this number gets recharged by
         one every time the limit specified above is not reached, up to this number;
         the default  is  5. When  byte-based rate matching is requested, this
         option specifies the amount of bytes that can exceed the given rate.
         This option should be used with caution -- if the entry expires, the burst
         value is reset too.

And the amount of time any hash entry is saved is specified with the option --hashlimit-htable-expire. I do not know what the default value for this entry is, but I guess it is a lot shorter than one hour, which would explain why you can connect faster than the expected amount.

You should consider tuning those values some more, allowing one per minute for example - in this case, your server only has to remember the last minute's IPs, and not the last hour worth of IPs.

Related Solutions

Iptables – Firewall still blocking port 53 despite listing otherwise

I notice that zero packets have actually reached your iptables ACCEPT rules for DNS. I think it is likely that your iptables rules are specifying an inconsistent combination of conditions that never match incoming DNS queries.

In your case, your DNS ACCEPT rules specify that the incoming interface must be eth1, and the destination IP address must resolve to ns.node1.com. You should check whether incoming DNS queries to ns.node1.com can ever arrive over the eth1 network interface.

Another possibility is that you have another packet filter somewhere between your test client and your server that is blocking DNS packets.

Linux – Unable to make outbound SNMP connections when IPTables is enabled

You must put

ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

before RH-Firewall-1-INPUT because of on RH-Firewall-1-INPUT rules there is REJECT on the end of line, the iptables read from top to down.

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 2 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

If you want to add using command line, you can use:

 iptables -I OUTPUT 1 -p udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I INPUT 1 -p udp -s 0/0 --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

It should be like:

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED
 2 RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Best Answer

Related Solutions

Iptables – Firewall still blocking port 53 despite listing otherwise

Linux – Unable to make outbound SNMP connections when IPTables is enabled

Related Topic