How to Create Connection Limits with Iptables

Article by Aashish

How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?

You need to use the connection limit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). This is useful to protect your server or vps box against flooding, spamming or content scraping.

Syntax
The syntax is as follows:

# /sbin/iptables -A INPUT -p tcp –syn –dport $port -m connlimit –connlimit-above N -j REJECT –reject-with tcp-reset

save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Example: Limit SSH Connections Per IP / Host

Only allow 3 ssh connections per client host:

# /sbin/iptables  -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT

save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Example: Limit HTTP Connections Per IP / Host

Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):

# /sbin/iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Skip proxy server IP 1.2.3.4 from this kind of limitations:

# /sbin/iptables -A INPUT -p tcp –syn –dport 80 -d ! 1.2.3.4 -m connlimit-above 20 -j REJECT –reject-with tcp-reset

Enjoy it….

Related Posts:

• No Related Posts