1

I have currently this IPTABLES command:

iptables -A INPUT -s ! 192.168.0.2 -p tcp --syn -m connlimit [...] -j DROP

As far as I know, such rule limit some number of connections following various parameters, except for 192.168.0.2 which is free to open unlimited number of TCP connexions.

My concern is about excluding more /32 IPs (with no specific range pattern) like:

iptables -A INPUT -s ! IP1 IP2 ... IPN -p tcp --syn -m connlimit [...] -j DROP

How is it possible with iptables ?

MadHatter
  • 78,442
  • 20
  • 178
  • 229
GPointer
  • 15
  • 1
  • 4

1 Answers1

3

Don't do it like that. People tie themselves in all sorts of knots trying to customise iptables exclusions, but it's not the right way to handle the problem.

Instead, use the first-dispositive-match-wins logic of iptables to work for you. List the exceptions first:

iptables -A INPUT -s 192.168.1.1 -p tcp [...] -j ACCEPT
iptables -A INPUT -s 192.168.2.2 -p tcp [...] -j ACCEPT
iptables -A INPUT -s 192.168.3.3 -p tcp [...] -j ACCEPT

and then the rule:

iptables -A INPUT -p tcp --syn -m connlimit [...] -j DROP

If you don't want to blindly ACCEPT packets from those privileged source IPs, but merely exempt them from further rate-limiting controls, you can move the rate-limiting logic off to a chain on its own, and RETURN to the main INPUT chain (for further processing) packets from sources that you want to exempt from the rate-limiting control:

iptables -N ratelimiter
iptables -A ratelimiter -s 192.168.1.1 -j RETURN
iptables -A ratelimiter -s 192.168.2.2 -j RETURN
iptables -A ratelimiter -s 192.168.3.3 -j RETURN
iptables -A ratelimiter --syn -m connlimit [...] -j DROP
#
iptables -A INPUT -p tcp [...] -j ratelimiter
iptables -A INPUT [ further business-appropriate checks ]
MadHatter
  • 78,442
  • 20
  • 178
  • 229