iptables - I'm losing control over the box by adding new rule to the config

0

My set up is the following:

  1. Internet uplink (200Mbit)
  2. DMZ (1GB ethernet)
  3. Internal network (1gb internet)
  4. Log interface

My gateway is serving around 600 clients with 1400 iptables rules in place. HW configuration is as follows:

  • 8 cores
  • RAM: 32975472

Everything is fine until the point when I add following rule: 

/sbin/iptables -I FORWARD -i eth-int -p tcp --tcp-flags SYN,ACK,FIN,RST SYN  -j LOG --log-prefix ipt-dmz

After few seconds my gateway goes to completely unusable state, and I'm losing control over the box.

Any ideas about how to tune it up? The idea is to log every TCP-SYN packet over the "log" interface (dedicated interface just for this kind of traffic) and store these logs somewhere else. The gateway runs from flash drive, so I can not store such a data on the gateway.

Thanks for any hints.

dan dan

Posted 2014-09-10T14:30:13.170

Reputation: 1

Answers

0

Maybe you're getting too many matches to that rule. Try adding a limit to that rule. For example:

/sbin/iptables -I FORWARD -i eth-int -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 10/min -j LOG --log-prefix ipt-dmz

gogators

Posted 2014-09-10T14:30:13.170

Reputation: 1 183

Yes, I think this is what's happening. I've tried with limit as well (100/m) and I ended up with the same result. – dan dan – 2014-09-11T01:38:37.700

Asked: 2014-09-10T14:30:13.170

Viewed: 53 times

Active: 2014-09-10T15:19:31.023