iptables_exporter icon indicating copy to clipboard operation
iptables_exporter copied to clipboard
verified publisher icon kbknapp

comments won't work here

Open toralf opened this issue 2 years ago • 2 comments

I tried to add comments to the DROP rules here https://github.com/toralf/torutils/blob/main/ipv4-rules.sh#L117 (and the ipv6 variant too) but it seems that the string became too long to be displayed correctly in Grafana when trying to use label filters.

In addition the counter were empty :

iptables_comment_packets_total{chain="INPUT",comment="443",table="filter"} 0
iptables_comment_packets_total{chain="INPUT",comment="8443",table="filter"} 0
iptables_comment_packets_total{chain="INPUT",comment="9001",table="filter"} 0

Linux kernel is 6.1.18 here at a stable Gentoo hardened system Happened with all 4 scraper (legacy and current)

toralf avatar Mar 12 '23 19:03 toralf

This is from the -save commands:

mr-fox ~ # /sbin/ip6tables-save  | grep DROP
:INPUT DROP [0:0]
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m set --match-set tor-ddos6-443 src -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m connlimit --connlimit-above 2 --connlimit-mask 128 --connlimit-saddr -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-443 --hashlimit-htable-expire 120000 -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m set --match-set tor-ddos6-9001 src -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m connlimit --connlimit-above 2 --connlimit-mask 128 --connlimit-saddr -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-9001 --hashlimit-htable-expire 120000 -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m set --match-set tor-ddos6-8443 src -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m connlimit --connlimit-above 2 --connlimit-mask 128 --connlimit-saddr -j DROP
-A INPUT -d 2a01:4f9:3b:468e::13/128 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-8443 --hashlimit-htable-expire 120000 -j DROP
mr-fox ~ # /sbin/iptables-save  | grep DROP
:INPUT DROP [169:8822]
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m set --match-set tor-ddos-443 src -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 443 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-443 --hashlimit-htable-expire 120000 -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m set --match-set tor-ddos-9001 src -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 9001 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 9001 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-9001 --hashlimit-htable-expire 120000 -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m set --match-set tor-ddos-8443 src -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -d 65.21.94.13/32 -p tcp -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment 8443 -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name tor-rate-8443 --hashlimit-htable-expire 120000 -j DROP

toralf avatar Mar 12 '23 20:03 toralf

In the mean while I realized, that adding a comment to an iptables rule lets the exporter to remove "-j DROP" from the rule name when exporting.

toralf avatar Mar 13 '23 18:03 toralf