From: Kenneth Porter <shiva@sewingwitch.com>
To: bloat <bloat@lists.bufferbloat.net>
Subject: Re: [Bloat] netperf server news
Date: Tue, 06 Oct 2020 19:39:54 -0700 [thread overview]
Message-ID: <38F0B196CFEA470FEEBE0520@[172.27.17.193]> (raw)
In-Reply-To: <2F8AA6E5-93F7-4FB2-A57F-10F7642F3092@gmail.com>
--On Tuesday, October 06, 2020 7:52 AM -0400 Rich Brown
<richb.hanover@gmail.com> wrote:
> 3) I would be pleased to get comments on the set of scripts. I'm a newbie
> at iptables, so it wouldn't hurt to have someone else check the rules I
> devised. See the README at https://github.com/richb-hanover/netperfclean
A couple of alternatives to custom scripts are fail2ban and the
rate-limiting modules available for iptables such as hashlimit and recent.
I haven't used fail2ban for rate-limiting so I'm not sure if it's the right
tool for that but it monitors log files to add iptables rules for
short-term banning. It's not hard to add your own log monitoring rule. I
haven't used the iptables modules but they look like a natural solution for
this.
<https://poorlydocumented.com/2017/08/understanding-iptables-hashlimit-module/>
<https://serverfault.com/questions/682045/source-ip-rate-limiting-in-iptables-hashlimit-vs-recent>
Instead of using a unique iptables rule for each blocklist member, I
suggest using an ipset. (I use firewalld as a front-end to iptables so I
let it manage my ipsets, but you can also install ipset's service for use
with raw iptables to save and restore the sets across boots.) Your block
rule could be as simple as this:
iptables -I INPUT 1 -p tcp --dport netperf -m set --match-set
NetPerfAbusers src -m conntrack --ctstate NEW -j DROP
next prev parent reply other threads:[~2020-10-07 2:40 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-06 10:52 Rich Brown
2020-10-06 13:11 ` Sebastian Moeller
2020-10-06 19:18 ` Colin Dearborn
2020-10-06 20:40 ` Rich Brown
2020-10-07 0:42 ` Dave Collier-Brown
2020-10-07 2:39 ` Kenneth Porter [this message]
[not found] <mailman.3.1602086401.13868.bloat@lists.bufferbloat.net>
2020-10-07 18:23 ` Rich Brown
2020-10-08 1:39 ` Kenneth Porter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/bloat.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='38F0B196CFEA470FEEBE0520@[172.27.17.193]' \
--to=shiva@sewingwitch.com \
--cc=bloat@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox