Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

comments won't work here #10

Open
toralf opened this issue Mar 12, 2023 · 2 comments
Open

comments won't work here #10

toralf opened this issue Mar 12, 2023 · 2 comments

Comments

@toralf
Copy link

toralf commented Mar 12, 2023

I tried to add comments to the DROP rules here https://github.com/toralf/torutils/blob/main/ipv4-rules.sh#L117 (and the ipv6 variant too) but it seems that the string became too long to be displayed correctly in Grafana when trying to use label filters.

In addition the counter were empty :

iptables_comment_packets_total{chain="INPUT",comment="443",table="filter"} 0
iptables_comment_packets_total{chain="INPUT",comment="8443",table="filter"} 0
iptables_comment_packets_total{chain="INPUT",comment="9001",table="filter"} 0

Linux kernel is 6.1.18 here at a stable Gentoo hardened system
Happened with all 4 scraper (legacy and current)

@toralf
Copy link
Author

toralf commented Mar 12, 2023

This is from the -save commands:

mr-fox ~ # /sbin/ip6tables-save  | grep DROP
:INPUT DROP [0:0]
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m set --match-set tor-ddos6-443 src -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m connlimit --connlimit-above 2 --connlimit-mask 128 --connlimit-saddr -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-443 --hashlimit-htable-expire 120000 -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m set --match-set tor-ddos6-9001 src -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m connlimit --connlimit-above 2 --connlimit-mask 128 --connlimit-saddr -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-9001 --hashlimit-htable-expire 120000 -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m set --match-set tor-ddos6-8443 src -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m connlimit --connlimit-above 2 --connlimit-mask 128 --connlimit-saddr -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-8443 --hashlimit-htable-expire 120000 -j DROP
mr-fox ~ # /sbin/iptables-save  | grep DROP
:INPUT DROP [169:8822]
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m set --match-set tor-ddos-443 src -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-443 --hashlimit-htable-expire 120000 -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m set --match-set tor-ddos-9001 src -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-9001 --hashlimit-htable-expire 120000 -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m set --match-set tor-ddos-8443 src -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-8443 --hashlimit-htable-expire 120000 -j DROP

@toralf
Copy link
Author

toralf commented Mar 13, 2023

In the mean while I realized, that adding a comment to an iptables rule lets the exporter to remove "-j DROP" from the rule name when exporting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant