We have a linux server (Debian-Lenny) with solid-state drive, without hard disk classic. He's use as a router, so traffic is only for forward.

We want to monitor connexions in able to find some syn-flood. Netstat could help us, but we have many traffic, almost around 150 Mbit/s, and netstat who look in '/proc/net' block the traffic, so it's not a method that we can use. Actually we use iptables rules with 'hashlimit-*' to verify that: from a source there is not too many connexion by minute. But not easy to adjust, for what is 'too many' for some network behind us.

Have somebody any idea what can we do?

Thank for the help,

  • 66
  • 3

2 Answers2


From a website:

iptables -A INPUT -p tcp --syn -m limit --limit 10/s --limit-burst 5 -j ACCEPT
iptables -A INPUT -p tcp --syn -j LOG
iptables -A INPUT -p tcp --syn -j DROP
  • 3,246
  • 6
  • 26
  • 31
  • Sorry, it's a router, not a final server. We use FORWARD rules. It's for thousand of client, we can't limit with 10/s, it's hashlimit by source and with limit +4000/minute connection by ip. But for some big network a limit of 10000/minute is easy to up. – Matthieu Feb 10 '10 at 18:21
  • iptables can also be applied to forwarding rules. Try `iptables -A FORWARD -p tcp --syn -m limit --limit 100/s --limit-burst 50 -j ACCEPT`; the FORWARD chain is for packets that were routed and not for local delivery. See the Wikipedia article on "iptables". – PP. Feb 11 '10 at 10:53
  • You don't understand, we already read manpages, books on netfilter. We already use --limit, --limit-burst. We write some rules like this: iptables -A connlimit -s XXX.XXX.$a.0/24 -m hashlimit --hashlimit-above 4000/minute --hashlimit-mode srcip --hashlimit-burst 100 --hashlimit-htable-size 500 --hashlimit-htable-max 500 --hashlimit-name TOUT-$a -j drophash (and it's already working.) But, what we need to adjust is the hashlimit-above, and we need to estimate the value for big network connection. How can we monitor the number of connection require by some network? – Matthieu Feb 11 '10 at 12:13

PP's answer is pretty good, but you may not want to implement the "DROP" rule at the end until you are certain of the traffic you are dropping. Monitor the LOG rule, and verify that you are not dropping legitimate traffic.

If you are worried about syn-floods, you may want to look at enabling syn-cookies. Syn cookies mitigate the problem of filling your connection table with half-open connections. A good description is at http://cr.yp.to/syncookies.html

  • 899
  • 4
  • 6