[oclug] An iptables question

Adrian Irving-Beer wisq-oclug at wisq.net
Mon Apr 4 20:42:03 EDT 2005 

On Mon, Apr 04, 2005 at 12:31:58PM -0400, Tony Wang wrote:

> Thanks, is it safe to conclude the following from your explanation?

First off, understand that I'm talking about the following
configuration:

  * ACCEPT: echo-reply, limit 3/minute, burst 5
  * DROP:   echo-reply, no limit

I assume this is what you're trying to do.  You want to limit
the ACCEPTs, and if you get too many, start DROPping them
(avoiding a flood).

Remember, limits always apply only to the rule they're placed on.  If
you put limits on your ACCEPT, you're limiting the number you'll allow
through.  If you're putting limits on your DROP, you're not limiting
how many it accepts, but actually how many it drops.

> 1. if no bursty input traffic, thus input echo-reply rate is less
>    than 3/minute, no echo-reply will be denied. (queue = 5 always)

Right.  So long as there are fewer than 3 per minute, the ACCEPT rule
will always trigger, and nothing will DROP.

> 2.  once bursty echo-reply happens, --limit-burst queue becomes 0,
>     --limit kick into play

Right.  The first five will work, but the sixth will be DROPped,
because the burst has been exceeded and the DROP rule comes into play.

>    a. drop 3 echo-reply/minute and queue=0, assuming input rate >=
>       3/minute

Not quite.  It will actually ACCEPT three per minute, DROPping all the
rest.  Yes, the ACCEPT burst will remain at 0 because it's being
constantly exhausted.

>    b. drop 3 echo-reply/minute and queue slowly climbs back to 5,
>       assuming input rate < 3 /minutes

If the rate drops below 3 per minute, it will once again begin
ACCEPTing *all* echo-replies, because the ACCEPT rule always triggers
(bypassing the DROP).

And yes, the ACCEPT burst will climb back up, at a rate of 3 per
minute (minus one for each echo-reply), to a maximum of 5.

One thing I'm not clear on is *when* these things regenerate their
burst.  For example, if you're getting one echo-reply per second, I
don't know if you only get the first three of every minute, or one per
every twenty seconds.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20050404/418ff838/attachment-0001.bin

More information about the OCLUG mailing list