# iptables burst rate limiting and packets content

## dulrich

Hi,

Today I protect my DHCP and DNS services through iptables with xt_recent :

```

iptables -N DNS_BRUT

iptables -A DNS_BRUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m recent --set --name DNS4FM --rsource

iptables -A DNS_BRUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m recent --update --seconds 2 --hitcount 200 --name DNS4FM --rsource -j LOG_BRUT_DROP

iptables -A DNS_BRUT -j ACCEPT

```

DNS_BRUT is a chain where I redirect all my DNS queries (udp and tcp) from the authorized IPs. 

```

iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --set --name DHCPFS --rsource

iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --update --seconds 1 --hitcount 50 --name DHCPFS --rsource -j LOG_BRUT_DROP

iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --set --name DHCPFM --rsource

iptables -A INPUT -p udp --dport 67 -i eth1 -m conntrack --ctstate NEW,ESTABLISHED -m recent --update --seconds 5 --hitcount 100 --name DHCPFM --rsource -j LOG_BRUT_DROP

```

About 100'000 hosts do queries on theses services and these rules are quite limitating. Sometimes, some servers or DHCP relay are legitimate to do more than X queries per second depending of what happen on the network (electricity outage, mail bombing, …).

A better way to do it, instead of limiting by source_ip only, would be to inspect inside the DHCP and DNS packets and limiting the rate per second of queries :

DNS : source_ip,query_type,query_name so for example (123.45.67.89,A,www.google.ch)

DHCP : CHADDR(client hardware address) so for example (aa:bb:cc:dd:ee:ff) -> because relay mask the real source

CHADDR, query_type, query_name are all data in the application layer.

Is there a way to do it with iptables ? If not, what kind of firewall can do it ?

----------

## PaulBredbury

 *dulrich wrote:*   

> Sometimes, some servers or DHCP relay are legitimate to do more than X queries per second

 

Make a more *relaxed* iptables filter chain, especially for them  :Wink: 

----------

