17 Oct 2007

Rate limiting connections with iptables 

By - Linux, Quick Tip 3 Comments

You may find this iptables based method of limiting packets useful. For example, to drop connection from from someone who is trying to brute force your passwords via ssh.

I have a particular case, where a customer wants to be notified if more than X number of SMTP connections are being generated from a particular IP address over a period of time.

Here are the commands..

To drop SSH connection attempts

# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

You may consider just logging this information, by replacing ‘DROP’ with ‘LOG’.

For rate limiting SMTP connections with notification just change the dport to 25, utilize the logging option and periodically check for entries.

You may also consider looking at the “–log-prefix” option to distinguish your IPtables log entries.

Refer to http://www.netfilter.org/documentation/index.html for additional detail.

3 Responses to “Rate limiting connections with iptables”

  1. Rate-limiting SSH connections with iptables | Slaptijack says:

    [...] can find more information on this concept at MNX Solutions and HostingFu. | [...]

  2. Tapas Mishra says:

    The above set of rules will not work correctly.
    You need to swap rule 2 in your article by rule 1 then it will work.
    i.e
    first
    iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
    and then
    iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set

Leave a Reply