Rate limiting connections with iptables

You may find this iptables based method of limiting packets useful. For example, to drop connection from from someone who is trying to brute force your passwords via ssh.

I have a particular case, where a customer wants to be notified if more than X number of SMTP connections are being generated from a particular IP address over a period of time.

Here are the commands..

To drop SSH connection attempts

# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

You may consider just logging this information, by replacing ‘DROP’ with ‘LOG’.

For rate limiting SMTP connections with notification just change the dport to 25, utilize the logging option and periodically check for entries.

You may also consider looking at the “–log-prefix” option to distinguish your IPtables log entries.

Refer to http://www.netfilter.org/documentation/index.html for additional detail.