Develop Reference

is there a way to use cilium to rate limit tls connection establishment?

I want to do something like
sudo iptables -A INPUT -i eth0 -m state --state NEW -p tcp -m limit --limit 12/minute --dport 12871 -j ACCEPT
sudo iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 12871 -j DROP
https://askubuntu.com/questions/1095491/how-to-limit-connections-to-1-connect-on-5-seconds-iptables
but via cilium/natively on kubernetes
to protect my ingresses from falling over if many clients reconnect at the same time

I suppose you can, yes. This is done via the api-rate-limit configuration option that you will have to configure for your cilium-agent running on the node.
Your limit above will translate to:
--api-rate-limit endpoint-create=rate-limit:12/m
You can read more about this option here.

tproxy configure with connbytes

I have a transparent proxy.
I want to redirect a rdp connection to local process, but from 3rd packet. that means I want to pass first and second packet and from 3rd packet until end redirect packets to local process.
I use code below to configure my tproxy.
But it does not work and no packets pass and no packets go to local process(50082).
Could you please help me? I don't know my mistake.
${ip} rule add fwmark 1 lookup 100
${ip} route add local 0.0.0.0/0 dev lo table 100
${iptables} -t mangle -N DIVERT
${iptables} -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
${iptables} -t mangle -A DIVERT -j MARK --set-mark 1
${iptables} -t mangle -A DIVERT -j ACCEPT
${iptables} -t mangle -A PREROUTING -p tcp --dport 3389 -m connbytes --connbytes 3: --connbytes-dir both --connbytes-mode packets -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50082
${iptables} -t mangle -A PREROUTING -p tcp --dport 3389 -m connbytes --connbytes 1:3 --connbytes-dir both --connbytes-mode packets -j ACCEPT

Gitlab pushing via https doesnt succed because of iptables

I installed the Gitlab-Omnibus bundle and opened iptables for port 80, 443, 9418 and temp. even for 22. Why doesn't pushing via https work? When I put iptables in default open for everything it works.
Here are my rules for 80, 443, 22 and 9418
# 1. Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT
# 2. Allow outgoing HTTP
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 443 -j ACCEPT
# 10. Allow outgoing HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
# allow git
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 9418 -j ACCEPT
#SSH: Client --> Server
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
The Result is:
Pushing to https://TLD/USER/REPO.git
POST git-receive-pack (448 bytes)
And then it just freezes. What do I need to open else?
I tried logging dropped packages but there is nothing with my ip?
I hope someone can help me..
Ok here are the rules for my logging:
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
And here is the output:
# Generated by iptables-save v1.4.21 on Thu Nov 13 18:43:13 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOGGING - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 37655 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 9418 -j ACCEPT
-A INPUT -j LOGGING
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -d 10.20.0.0/16 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 37655 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -j ACCEPT
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
COMMIT

#Devices
DEV0=eth0
#internal network
INT_NET=xxx.xxx.0.0/16
INT_NET_SECURE=xxx.xxx.xxx.0/24
#external network
EXT_NET=xxx.xxx.xxx.0/24
#path iptables
IPTABLES=/sbin/iptables
#path modprobe
MODPROBE=/sbin/modprobe
case $1 in
start)
$0 stop
echo "start ip-package-filter"
# iptables-Modul
$MODPROBE ip_tables
# Connection-Tracking-Module
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
#Standard-Policy - Deny everything except what we want
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#slows down icmp for too much packages
echo "5" >/proc/sys/net/ipv4/icmp_ratelimit
#Kills packages with source route option
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_source_route
#Kills icmp forwarding
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_redirects
#Kills spoofed packages
echo "1" > /proc/sys/net/ipv4/conf/$DEV0/rp_filter
#Kills packages from 0.X.X.X
echo "0" > /proc/sys/net/ipv4/conf/eth0/bootp_relay
# TCP-FIN-Timeout (DoS-Attack)
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#TCP-SYN max 3 answers
echo 3 > /proc/sys/net/ipv4/tcp_retries1
#TCP-Package max 15x repetitions
echo 15 > /proc/sys/net/ipv4/tcp_retries2
#Loopback-Communication
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#ICMP: Client <--> Server
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
#DNS: Server --> DNS-Server
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
# Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
#SSH: Client --> Server (internal)
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 22 -m state --state NEW -j ACCEPT
#SSH: Client --> Server
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Update (apt)
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
#TeamDrive
$IPTABLES -A INPUT -p tcp --dport 37655 -m state --state NEW -j ACCEPT
#Git
$IPTABLES -A INPUT -p tcp --dport 9418 -m state --state NEW -j ACCEPT
#Connection-Tracking for INPUT and OUTPUT CHAIN
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
echo "Firewall activated"
;;
stop)
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
;;
restart)
$0 start
;;
*)
echo "Usage: $0 {startwd|stop|restart}"
;;
esac

Insert line in iptables's file

I work with bash file and I want to insert and get line in iptables's file
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
{My Line Here}
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
replace {My line here} to
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Then I want to find and get firewall open ports an display them

sed 's/-A INPUT -i lo -j ACCEPT/-A INPUT -i lo -j ACCEPT\n-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT/g' <filename> > temp ; mv temp <filename>
Replace the <filename> by the actual file. This works only if the preceding line is -A INPUT -i lo -j ACCEPT

Can't ping my MFP from Windows, but can by Linux

I have a trouble. Can`t access to my ethernet-connected MFP from Windows 7 clients, but by Ubuntu (and router/server) machine it can get access to it.
MFP = Epson Stylus Color 730
network:
MFP (192.168.0.100) + win7clients (192.168.0.101-200) ---> Ubuntu server/router (192.168.0.1) ---> Internet
MFP get right IP and settings form DHCP server. On Windows machines disabled all firewalls and so on.
From Ubuntu I can do with MFP what I want, but why I can`t even ping it form Windows?
Thanks
Edit:
Content of /etc/sysctl.conf :
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
Edit 2:
After some fixes - all, except of me in local net can use MFP.
So, new puzzle:
My local network:
http://prntscr.com/kvk5g
"Hakuhonoo" can`t see MFP, but other do.
Content of /etc/iptables.conf:
# Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012
*filter
:INPUT ACCEPT [23:1420]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [20:18904]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80:85 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1985 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25565 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 60000:65000 -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -i eth0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 81:85 -j ACCEPT
-A FORWARD -i eth0 -j DROP
COMMIT
# Completed on Fri Nov 9 01:51:58 2012
# Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012
*nat
:PREROUTING ACCEPT [377:31747]
:INPUT ACCEPT [39:3558]
:OUTPUT ACCEPT [11:872]
:POSTROUTING ACCEPT [7:570]
-A PREROUTING -i eth0 -p tcp --dport 81:85 -j DNAT --to 192.168.0.101
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 9 01:51:58 2012
# Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012
*mangle
:PREROUTING ACCEPT [1425:140833]
:INPUT ACCEPT [762:69219]
:FORWARD ACCEPT [495:56655]
:OUTPUT ACCEPT [643:122295]
:POSTROUTING ACCEPT [1152:179096]
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
COMMIT
# Completed on Fri Nov 9 01:51:58 2012

Did you set your Ubuntu to forward packets?
Enable routing: (taken from here)
Configure the gateway for routing between two interfaces by enabling IP forwarding:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
Edit /etc/sysctl.conf, and (up to 10.04) add these lines:
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1
From 10.10 onwards, it suffices to edit /etc/sysctl.conf and uncomment:
net.ipv4.ip_forward=1