mobile logo

Rate limiting connections with iptables

posted on October 17, 2007 / IN Linux / Quick Tip / 3 Comments

You may find this iptables based method of limiting packets useful. For example, to drop connection from from someone who is trying to brute force your passwords via ssh.

I have a particular case, where a customer wants to be notified if more than X number of SMTP connections are being generated from a particular IP address over a period of time.

Here are the commands..

To drop SSH connection attempts

# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

You may consider just logging this information, by replacing ‘DROP’ with ‘LOG’.

For rate limiting SMTP connections with notification just change the dport to 25, utilize the logging option and periodically check for entries.

You may also consider looking at the “–log-prefix” option to distinguish your IPtables log entries.

Refer to http://www.netfilter.org/documentation/index.html for additional detail.

By admin

Tagged With

3 Comments

Please use the form to leave a comment

    • Tapas Mishra
      Posted on November 8, 201010:49 pm Reply

      The above set of rules will not work correctly.
      You need to swap rule 2 in your article by rule 1 then it will work.
      i.e
      first
      iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
      and then
      iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set

Page 1 of 1

Leave a comment.