0

I want to limit the number of ALL incoming NEW connections on a port, not only from one IP, something like:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 3/s -j DROP

But I don't understand what's wrong. It worked once/twice, tried different limits and after that it now drops all new connections. (yes, I flushed the iptables each time before adding the rule in its various forms).

EDIT1: I have tried

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 5 --hitcount 5 --name SSH -j DROP

and it seems to work. Will this affect all connections or only the ones from the same IP?

Shocker
  • 3
  • 1
  • 3

1 Answers1

1

If you want to limit the number of new connections to 3/s, you have to change the rule target to be ACCEPT instead of DROP:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 3/s -j ACCEPT

You can read from man iptables:

limit
   This module matches at a limited rate using a token bucket filter.
   A rule using this extension will match until this limit is reached

So, your rule will drop all new connections until the limit is reached!!!

Khaled
  • 35,688
  • 8
  • 69
  • 98
  • I have tried the rule you gave me and it seems it doesn't do what I want. I have tested it like this: for ($i = 0; $i < 10; $i++) { $f = fsockopen("IP_HERE", 22, &$err, &$err2, 1); echo "Opening #$i: ".($f ? "OK" : "FAILED, timeout 1s")."
    "; } And it *instantly* creates 10 connections, when it should have created only 3 per second, right?     – Shocker Apr 10 '12 at 14:49
  • 1
    @Shocker: You need to create a `DROP` rule after this, or have the default `INPUT` policy set to `DROP` depending on your rules config. Otherwise, all connections will be accepted. – Khaled Apr 10 '12 at 14:55