All geek questions in one place

Ratelimiting with latest iptables gives error

Due to the large number of bots accessing my web server too many times per second, I went to my server and issued the following commands, trying to limit the connections to a maximum of 25 in 5 seconds. Maybe I need to be more restrictive, but I'm not because I have one rarely accessed page that asks for 50 images, and 51 connections may be required, and I don't want users to wait forever for the remaining 26 images.

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 5 --hitcount 26 -j DROP

The first command works after checking with iptables -nL, but the second command immediately returns this message: "iptables: Invalid argument. Run" dmesg "for more information."

As soon as I completed it, I get the following at the end:

 Call Trace: <IRQ> [<ffffffff8112f7ba>] ? __alloc_pages_nodemask+0x74a/0x8d0 [<ffffffff81299270>] ? swiotlb_map_page+0x0/0x100 [<ffffffff8116e282>] ? kmem_getpages+0x62/0x170 [<ffffffff8116ee9a>] ? fallback_alloc+0x1ba/0x270 [<ffffffff8116e8ef>] ? cache_grow+0x2cf/0x320 [<ffffffff8116ec19>] ? ____cache_alloc_node+0x99/0x160 [<ffffffff8116fb9b>] ? kmem_cache_alloc+0x11b/0x190 [<ffffffff8144d058>] ? sk_prot_alloc+0x48/0x1c0 [<ffffffff8144e262>] ? sk_clone+0x22/0x2e0 [<ffffffff8149ff16>] ? inet_csk_clone+0x16/0xd0 [<ffffffff814b97d3>] ? tcp_create_openreq_child+0x23/0x470 [<ffffffff814b6f8d>] ? tcp_v4_syn_recv_sock+0x4d/0x310 [<ffffffff814b9576>] ? tcp_check_req+0x226/0x460 [<ffffffff814b69cb>] ? tcp_v4_do_rcv+0x35b/0x490 [<ffffffffa0322557>] ? ipv4_confirm+0x87/0x1d0 [nf_conntrack_ipv4] [<ffffffff814b825a>] ? tcp_v4_rcv+0x51a/0x900 [<ffffffff81495270>] ? ip_local_deliver_finish+0x0/0x2d0 [<ffffffff8149534d>] ? ip_local_deliver_finish+0xdd/0x2d0 [<ffffffff814955d8>] ? ip_local_deliver+0x98/0xa0 [<ffffffff81494a9d>] ? ip_rcv_finish+0x12d/0x440 [<ffffffff81495025>] ? ip_rcv+0x275/0x350 [<ffffffff8145c3eb>] ? __netif_receive_skb+0x4ab/0x750 [<ffffffff81460058>] ? netif_receive_skb+0x58/0x60 [<ffffffff81460160>] ? napi_skb_finish+0x50/0x70 [<ffffffff814618c9>] ? napi_gro_receive+0x39/0x50 [<ffffffffa024e267>] ? e1000_receive_skb+0x67/0x110 [e1000e] [<ffffffffa0250e6f>] ? e1000_clean_rx_irq+0x37f/0x580 [e1000e] [<ffffffffa025397d>] ? e1000e_poll+0x8d/0x2d0 [e1000e] [<ffffffff814619e3>] ? net_rx_action+0x103/0x2f0 [<ffffffff8107a5f1>] ? __do_softirq+0xc1/0x1e0 [<ffffffff810e6c60>] ? handle_IRQ_event+0x60/0x170 [<ffffffff8107a64f>] ? __do_softirq+0x11f/0x1e0 [<ffffffff8100c30c>] ? call_softirq+0x1c/0x30 [<ffffffff8100fa75>] ? do_softirq+0x65/0xa0 [<ffffffff8107a4a5>] ? irq_exit+0x85/0x90 [<ffffffff81532525>] ? do_IRQ+0x75/0xf0 [<ffffffff8100b9d3>] ? ret_from_intr+0x0/0x11 <EOI>

Content before accessing USB devices and other system devices. Can someone tell me how to successfully limit the speed of incoming connections without experiencing random errors?

+5
source share
1 answer

Running dmesg shows the cause of the error:

[78482.351825] xt_recent: hitcount (26) more than you need to remember (20)

This means that the recent iptables module is limited to only 20 packets. To solve this problem, you can do any of the following:

  • Reduce the hitcount parameter in your iptables rule from 26 to 20 or less.
    or

  • Increase the maximum possible value for the hitcount parameter from its default value of 20 by setting the ip_pkt_list_tot option to the ip_pkt_list_tot kernel xt_recent . This can be done by creating the ip_pkt_list_tot.conf file in /etc/modprobe.d/ , which contains:

    options xt_recent ip_pkt_list_tot = 26

    After creating the file, reboot the xt_recent kernel xt_recent via modprobe -r xt_recent && modprobe xt_recent or reboot the system.

Checking the iptables page leads to the same conclusion:

  --hitcount hits This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with --seconds to create an even narrower match requiring a certain number of hits within a specific time frame. The maximum value for the hitcount parameter is given by the "ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this value on the command line will cause the rule to be rejected.

Note that xt_recent is called ipt_recent on some systems.

+8
source

Source: https://habr.com/ru/post/1206902/

More articles:


All Articles