« February 21, 2005 | Main | February 26, 2005 »

Thursday, February 24, 2005

Reading List: Linux iptables Pocket Reference

Purdy, Gregor N. Linux iptables Pocket Reference. Sebastopol, CA: O'Reilly, 2004. ISBN 0-596-00569-5.
Sure, you could just read the manual pages, but when your site is under attack and you're the "first responder", this little book is just what you want in your sweaty fingers. It's also a handy reference to the fields in IP, TCP, UDP, and ICMP packets, which can be useful in interpreting packet dumps. Although intended as a reference, it's well worth taking the time (less than an hour) to read cover to cover. There are a number of very nice facilities in iptables/Netfilter which permit responding to common attacks. For example, the iplimit match allows blocking traffic from the bozone layer (yes, you--I know who you are and I know where you live) which ties up all of your HTTP server processes by connecting to them and then letting them time out or, slightly more sophisticated, feeding characters of a request every 20 seconds or so to keep it alive. The solution is: 
    /sbin/iptables -A INPUT -p tcp --syn \
        --dport 80 -m iplimit --iplimit-above 20 \
    	--iplimit-mask 32 -j REJECT
Anybody who tries to open more than 20 connections will get whacked on each additional SYN packet. You can see whether this rule is affecting too many legitimate connections with the status query: 
    /sbin/iptables -L -v
Geekly reading, to be sure, but just the thing if you're responsible for defending an Internet server or site from malefactors in the Internet Slum.

Posted at 00:04 Permalink