Limit max connections per IP address and new connections per second with iptables
Clash Royale CLAN TAG#URR8PPP
We have an Ubuntu 12.04 server with httpd on port 80 and we want to limit:
- the maximum connections per IP address to httpd to 10
- the maximum new connections per second to httpd to 150
How can we do this with iptables?
iptables limit
edited Jul 10 '14 at 21:57
Cristian Ciupitu
2,09911621
asked Jun 26 '14 at 6:58
evachristineevachristine
83392549
add a comment |
We have an Ubuntu 12.04 server with httpd on port 80 and we want to limit:
- the maximum connections per IP address to httpd to 10
- the maximum new connections per second to httpd to 150
How can we do this with iptables?
iptables limit
edited Jul 10 '14 at 21:57
Cristian Ciupitu
2,09911621
asked Jun 26 '14 at 6:58
evachristineevachristine
83392549
add a comment |
We have an Ubuntu 12.04 server with httpd on port 80 and we want to limit:
- the maximum connections per IP address to httpd to 10
- the maximum new connections per second to httpd to 150
How can we do this with iptables?
iptables limit
edited Jul 10 '14 at 21:57
Cristian Ciupitu
2,09911621
asked Jun 26 '14 at 6:58
evachristineevachristine
83392549
We have an Ubuntu 12.04 server with httpd on port 80 and we want to limit:
- the maximum connections per IP address to httpd to 10
- the maximum new connections per second to httpd to 150
How can we do this with iptables?
iptables limit
iptables limit
edited Jul 10 '14 at 21:57
Cristian Ciupitu
2,09911621
asked Jun 26 '14 at 6:58
evachristineevachristine
83392549
edited Jul 10 '14 at 21:57
Cristian Ciupitu
2,09911621
asked Jun 26 '14 at 6:58
evachristineevachristine
83392549
edited Jul 10 '14 at 21:57
Cristian Ciupitu
2,09911621
edited Jul 10 '14 at 21:57
Cristian Ciupitu
2,09911621
edited Jul 10 '14 at 21:57
Cristian Ciupitu
2,09911621
2,09911621
asked Jun 26 '14 at 6:58
evachristineevachristine
83392549
asked Jun 26 '14 at 6:58
evachristineevachristine
83392549
asked Jun 26 '14 at 6:58
evachristineevachristine
83392549
83392549
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
This will reject connections above 15 from one source IP.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT
In this 160 new connections (packets really) are allowed before the limit of 150 NEW connections (packets) per second is applied.
edited Jun 3 '15 at 16:06
Dan Pritts
44539
answered Jul 4 '14 at 15:59
tottitotti
1,2191013
1
Can the above be set up to work on all ports, not just port 80?
– EminezArtus
Mar 7 '15 at 6:00
1
Are you sure this is per IP?
– LatinSuD
Jun 9 '15 at 6:41
2
To set this rule for all ports, just remove the --dport 80.
– Dan Pritts
Jun 11 '15 at 15:11
5
The second rule does NOT work on "new connections". It explicitly affects existing ("ESTABLISHED") connections. To do new connections, you would want --state NEW. You might also consider using-m conntrack --ctstatein place of-m state --state. conntrack is new and improved vs. state.
– Dan Pritts
Jun 11 '15 at 15:14
1
the comment above for adding the 2nd rule toNEWconnections - do not do that - it effectively turns yourINPUTchain into a defaultaccept!!!
– Stuart Cardall
Apr 23 '17 at 5:40
|
show 1 more comment
You want the following rules in your iptables to answer both requirements in your question:
iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -I INPUT -p tcp --dport 80 -m state
--state RELATED,ESTABLISHED -j ACCEPT
# Adjust "--connlimit-above NN" to limit the maximum connections per IP
# that you need.
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 10 --connlimit-mask 32 -j DROP
# Adjust "--connlimit-above NNN" to the maximum total connections you
# want your web server to support
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 150 -j DROP
Because we are using -I (as per the OP request) we have to do them in reverse order so 'read' them from the bottom up.
I also suggest considering --connlimit-mask NN change from 32 to 24. This will limit a full Class-C network (max 256 IP addresses in the same range) to 10 connections. You could also use any other classless number like 22 or 30 depending on how you think your service might be used.
Also depending on how you want the client to behave, you might want to use "-j REJECT --reject-with tcp-reset" instead of "-j DROP" in the two rules above, or even only in the 150 connections max rule.
If you REJECT the connection the browser or software using port 80 will show a "not available" status immediately, but the DROP option will cause the client to wait and retry a few times before reporting the site as not available. I tend to lean to the DROP myself as it behaves more like a bad connection than an offline server.
Also, if the connection limit drops back down below 150 (or 10) while it is still retrying, then it will finally get through to your server.
The REJECT option will cause a fraction less traffic to your site however, as DROP will cause it to send additional packets while it retries. Probably not all that relevant.
If on the other hand your port 80 traffic is part of a cluster then REJECT will tell the cluster controller that it's down and to stop sending traffic to it for the duration of it's retry timeout.
The RELATED,ESTABLISHED rule is there under the assumption your default rule is to block all traffic (iptables -t filter -P INPUT DROP). This just accepts futher packets belonging to accepted connections.
Also --syn tells it to pay attention to (or count) the packets that set up a TCP connection.
answered Jul 10 '14 at 9:09
Ian MacintoshIan Macintosh
62139
Thanks for walking through the minutia of these commands.
– txyoji
Feb 19 '16 at 20:30
Can i get --connlimit-mask to only block that specific IP address and not an entire range ?
– Analog
Feb 26 '16 at 16:55
The --connlimit-mask 32 is a single address limit. Ie, it is like a /32 netmask. Anything less, like 24 is like a /24 netmask, ignoring the lower 8 bits.
– Ian Macintosh
Feb 26 '16 at 20:39
add a comment |
You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
/sbin/iptables -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 10 -j DROP
edited Jun 26 '14 at 12:58
slm♦
251k67528685
answered Jun 26 '14 at 8:56
Raman_SinghRaman_Singh
512
I updated your answer, i hope it's still OK (why is "--syn " needed?). +And how about the "The maximum connection per second (port 80, tcp) to 150"? Thank you!
– evachristine
Jun 26 '14 at 12:39
--syn means that the rule only looks at TCP packets with the syn flag - which means new connections. You could do roughly the same with -m state --state NEW, but this is probably faster.
– Dan Pritts
Jun 3 '15 at 15:47
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f139285%2flimit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
This will reject connections above 15 from one source IP.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT
In this 160 new connections (packets really) are allowed before the limit of 150 NEW connections (packets) per second is applied.
edited Jun 3 '15 at 16:06
Dan Pritts
44539
answered Jul 4 '14 at 15:59
tottitotti
1,2191013
1
Can the above be set up to work on all ports, not just port 80?
– EminezArtus
Mar 7 '15 at 6:00
1
Are you sure this is per IP?
– LatinSuD
Jun 9 '15 at 6:41
2
To set this rule for all ports, just remove the --dport 80.
– Dan Pritts
Jun 11 '15 at 15:11
5
The second rule does NOT work on "new connections". It explicitly affects existing ("ESTABLISHED") connections. To do new connections, you would want --state NEW. You might also consider using-m conntrack --ctstatein place of-m state --state. conntrack is new and improved vs. state.
– Dan Pritts
Jun 11 '15 at 15:14
1
the comment above for adding the 2nd rule toNEWconnections - do not do that - it effectively turns yourINPUTchain into a defaultaccept!!!
– Stuart Cardall
Apr 23 '17 at 5:40
|
show 1 more comment
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
This will reject connections above 15 from one source IP.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT
In this 160 new connections (packets really) are allowed before the limit of 150 NEW connections (packets) per second is applied.
edited Jun 3 '15 at 16:06
Dan Pritts
44539
answered Jul 4 '14 at 15:59
tottitotti
1,2191013
1
Can the above be set up to work on all ports, not just port 80?
– EminezArtus
Mar 7 '15 at 6:00
1
Are you sure this is per IP?
– LatinSuD
Jun 9 '15 at 6:41
2
To set this rule for all ports, just remove the --dport 80.
– Dan Pritts
Jun 11 '15 at 15:11
5
The second rule does NOT work on "new connections". It explicitly affects existing ("ESTABLISHED") connections. To do new connections, you would want --state NEW. You might also consider using-m conntrack --ctstatein place of-m state --state. conntrack is new and improved vs. state.
– Dan Pritts
Jun 11 '15 at 15:14
1
the comment above for adding the 2nd rule toNEWconnections - do not do that - it effectively turns yourINPUTchain into a defaultaccept!!!
– Stuart Cardall
Apr 23 '17 at 5:40
|
show 1 more comment
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
This will reject connections above 15 from one source IP.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT
In this 160 new connections (packets really) are allowed before the limit of 150 NEW connections (packets) per second is applied.
edited Jun 3 '15 at 16:06
Dan Pritts
44539
answered Jul 4 '14 at 15:59
tottitotti
1,2191013
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
This will reject connections above 15 from one source IP.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT
In this 160 new connections (packets really) are allowed before the limit of 150 NEW connections (packets) per second is applied.
edited Jun 3 '15 at 16:06
Dan Pritts
44539
answered Jul 4 '14 at 15:59
tottitotti
1,2191013
edited Jun 3 '15 at 16:06
Dan Pritts
44539
edited Jun 3 '15 at 16:06
Dan Pritts
44539
edited Jun 3 '15 at 16:06
Dan Pritts
44539
44539
answered Jul 4 '14 at 15:59
tottitotti
1,2191013
answered Jul 4 '14 at 15:59
tottitotti
1,2191013
answered Jul 4 '14 at 15:59
tottitotti
1,2191013
1,2191013
1
Can the above be set up to work on all ports, not just port 80?
– EminezArtus
Mar 7 '15 at 6:00
1
Are you sure this is per IP?
– LatinSuD
Jun 9 '15 at 6:41
2
To set this rule for all ports, just remove the --dport 80.
– Dan Pritts
Jun 11 '15 at 15:11
5
The second rule does NOT work on "new connections". It explicitly affects existing ("ESTABLISHED") connections. To do new connections, you would want --state NEW. You might also consider using-m conntrack --ctstatein place of-m state --state. conntrack is new and improved vs. state.
– Dan Pritts
Jun 11 '15 at 15:14
1
the comment above for adding the 2nd rule toNEWconnections - do not do that - it effectively turns yourINPUTchain into a defaultaccept!!!
– Stuart Cardall
Apr 23 '17 at 5:40
|
show 1 more comment
1
Can the above be set up to work on all ports, not just port 80?
– EminezArtus
Mar 7 '15 at 6:00
1
Are you sure this is per IP?
– LatinSuD
Jun 9 '15 at 6:41
2
To set this rule for all ports, just remove the --dport 80.
– Dan Pritts
Jun 11 '15 at 15:11
5
The second rule does NOT work on "new connections". It explicitly affects existing ("ESTABLISHED") connections. To do new connections, you would want --state NEW. You might also consider using-m conntrack --ctstatein place of-m state --state. conntrack is new and improved vs. state.
– Dan Pritts
Jun 11 '15 at 15:14
1
the comment above for adding the 2nd rule toNEWconnections - do not do that - it effectively turns yourINPUTchain into a defaultaccept!!!
– Stuart Cardall
Apr 23 '17 at 5:40
1
1
Can the above be set up to work on all ports, not just port 80?
– EminezArtus
Mar 7 '15 at 6:00
Can the above be set up to work on all ports, not just port 80?
– EminezArtus
Mar 7 '15 at 6:00
1
1
Are you sure this is per IP?
– LatinSuD
Jun 9 '15 at 6:41
Are you sure this is per IP?
– LatinSuD
Jun 9 '15 at 6:41
2
2
To set this rule for all ports, just remove the --dport 80.
– Dan Pritts
Jun 11 '15 at 15:11
To set this rule for all ports, just remove the --dport 80.
– Dan Pritts
Jun 11 '15 at 15:11
5
5
The second rule does NOT work on "new connections". It explicitly affects existing ("ESTABLISHED") connections. To do new connections, you would want --state NEW. You might also consider using
-m conntrack --ctstate in place of -m state --state. conntrack is new and improved vs. state.– Dan Pritts
Jun 11 '15 at 15:14
The second rule does NOT work on "new connections". It explicitly affects existing ("ESTABLISHED") connections. To do new connections, you would want --state NEW. You might also consider using
-m conntrack --ctstate in place of -m state --state. conntrack is new and improved vs. state.– Dan Pritts
Jun 11 '15 at 15:14
1
1
the comment above for adding the 2nd rule to
NEW connections - do not do that - it effectively turns your INPUT chain into a default accept !!!– Stuart Cardall
Apr 23 '17 at 5:40
the comment above for adding the 2nd rule to
NEW connections - do not do that - it effectively turns your INPUT chain into a default accept !!!– Stuart Cardall
Apr 23 '17 at 5:40
|
show 1 more comment
You want the following rules in your iptables to answer both requirements in your question:
iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -I INPUT -p tcp --dport 80 -m state
--state RELATED,ESTABLISHED -j ACCEPT
# Adjust "--connlimit-above NN" to limit the maximum connections per IP
# that you need.
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 10 --connlimit-mask 32 -j DROP
# Adjust "--connlimit-above NNN" to the maximum total connections you
# want your web server to support
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 150 -j DROP
Because we are using -I (as per the OP request) we have to do them in reverse order so 'read' them from the bottom up.
I also suggest considering --connlimit-mask NN change from 32 to 24. This will limit a full Class-C network (max 256 IP addresses in the same range) to 10 connections. You could also use any other classless number like 22 or 30 depending on how you think your service might be used.
Also depending on how you want the client to behave, you might want to use "-j REJECT --reject-with tcp-reset" instead of "-j DROP" in the two rules above, or even only in the 150 connections max rule.
If you REJECT the connection the browser or software using port 80 will show a "not available" status immediately, but the DROP option will cause the client to wait and retry a few times before reporting the site as not available. I tend to lean to the DROP myself as it behaves more like a bad connection than an offline server.
Also, if the connection limit drops back down below 150 (or 10) while it is still retrying, then it will finally get through to your server.
The REJECT option will cause a fraction less traffic to your site however, as DROP will cause it to send additional packets while it retries. Probably not all that relevant.
If on the other hand your port 80 traffic is part of a cluster then REJECT will tell the cluster controller that it's down and to stop sending traffic to it for the duration of it's retry timeout.
The RELATED,ESTABLISHED rule is there under the assumption your default rule is to block all traffic (iptables -t filter -P INPUT DROP). This just accepts futher packets belonging to accepted connections.
Also --syn tells it to pay attention to (or count) the packets that set up a TCP connection.
answered Jul 10 '14 at 9:09
Ian MacintoshIan Macintosh
62139
Thanks for walking through the minutia of these commands.
– txyoji
Feb 19 '16 at 20:30
Can i get --connlimit-mask to only block that specific IP address and not an entire range ?
– Analog
Feb 26 '16 at 16:55
The --connlimit-mask 32 is a single address limit. Ie, it is like a /32 netmask. Anything less, like 24 is like a /24 netmask, ignoring the lower 8 bits.
– Ian Macintosh
Feb 26 '16 at 20:39
add a comment |
You want the following rules in your iptables to answer both requirements in your question:
iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -I INPUT -p tcp --dport 80 -m state
--state RELATED,ESTABLISHED -j ACCEPT
# Adjust "--connlimit-above NN" to limit the maximum connections per IP
# that you need.
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 10 --connlimit-mask 32 -j DROP
# Adjust "--connlimit-above NNN" to the maximum total connections you
# want your web server to support
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 150 -j DROP
Because we are using -I (as per the OP request) we have to do them in reverse order so 'read' them from the bottom up.
I also suggest considering --connlimit-mask NN change from 32 to 24. This will limit a full Class-C network (max 256 IP addresses in the same range) to 10 connections. You could also use any other classless number like 22 or 30 depending on how you think your service might be used.
Also depending on how you want the client to behave, you might want to use "-j REJECT --reject-with tcp-reset" instead of "-j DROP" in the two rules above, or even only in the 150 connections max rule.
If you REJECT the connection the browser or software using port 80 will show a "not available" status immediately, but the DROP option will cause the client to wait and retry a few times before reporting the site as not available. I tend to lean to the DROP myself as it behaves more like a bad connection than an offline server.
Also, if the connection limit drops back down below 150 (or 10) while it is still retrying, then it will finally get through to your server.
The REJECT option will cause a fraction less traffic to your site however, as DROP will cause it to send additional packets while it retries. Probably not all that relevant.
If on the other hand your port 80 traffic is part of a cluster then REJECT will tell the cluster controller that it's down and to stop sending traffic to it for the duration of it's retry timeout.
The RELATED,ESTABLISHED rule is there under the assumption your default rule is to block all traffic (iptables -t filter -P INPUT DROP). This just accepts futher packets belonging to accepted connections.
Also --syn tells it to pay attention to (or count) the packets that set up a TCP connection.
answered Jul 10 '14 at 9:09
Ian MacintoshIan Macintosh
62139
Thanks for walking through the minutia of these commands.
– txyoji
Feb 19 '16 at 20:30
Can i get --connlimit-mask to only block that specific IP address and not an entire range ?
– Analog
Feb 26 '16 at 16:55
The --connlimit-mask 32 is a single address limit. Ie, it is like a /32 netmask. Anything less, like 24 is like a /24 netmask, ignoring the lower 8 bits.
– Ian Macintosh
Feb 26 '16 at 20:39
add a comment |
You want the following rules in your iptables to answer both requirements in your question:
iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -I INPUT -p tcp --dport 80 -m state
--state RELATED,ESTABLISHED -j ACCEPT
# Adjust "--connlimit-above NN" to limit the maximum connections per IP
# that you need.
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 10 --connlimit-mask 32 -j DROP
# Adjust "--connlimit-above NNN" to the maximum total connections you
# want your web server to support
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 150 -j DROP
Because we are using -I (as per the OP request) we have to do them in reverse order so 'read' them from the bottom up.
I also suggest considering --connlimit-mask NN change from 32 to 24. This will limit a full Class-C network (max 256 IP addresses in the same range) to 10 connections. You could also use any other classless number like 22 or 30 depending on how you think your service might be used.
Also depending on how you want the client to behave, you might want to use "-j REJECT --reject-with tcp-reset" instead of "-j DROP" in the two rules above, or even only in the 150 connections max rule.
If you REJECT the connection the browser or software using port 80 will show a "not available" status immediately, but the DROP option will cause the client to wait and retry a few times before reporting the site as not available. I tend to lean to the DROP myself as it behaves more like a bad connection than an offline server.
Also, if the connection limit drops back down below 150 (or 10) while it is still retrying, then it will finally get through to your server.
The REJECT option will cause a fraction less traffic to your site however, as DROP will cause it to send additional packets while it retries. Probably not all that relevant.
If on the other hand your port 80 traffic is part of a cluster then REJECT will tell the cluster controller that it's down and to stop sending traffic to it for the duration of it's retry timeout.
The RELATED,ESTABLISHED rule is there under the assumption your default rule is to block all traffic (iptables -t filter -P INPUT DROP). This just accepts futher packets belonging to accepted connections.
Also --syn tells it to pay attention to (or count) the packets that set up a TCP connection.
answered Jul 10 '14 at 9:09
Ian MacintoshIan Macintosh
62139
You want the following rules in your iptables to answer both requirements in your question:
iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -I INPUT -p tcp --dport 80 -m state
--state RELATED,ESTABLISHED -j ACCEPT
# Adjust "--connlimit-above NN" to limit the maximum connections per IP
# that you need.
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 10 --connlimit-mask 32 -j DROP
# Adjust "--connlimit-above NNN" to the maximum total connections you
# want your web server to support
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 150 -j DROP
Because we are using -I (as per the OP request) we have to do them in reverse order so 'read' them from the bottom up.
I also suggest considering --connlimit-mask NN change from 32 to 24. This will limit a full Class-C network (max 256 IP addresses in the same range) to 10 connections. You could also use any other classless number like 22 or 30 depending on how you think your service might be used.
Also depending on how you want the client to behave, you might want to use "-j REJECT --reject-with tcp-reset" instead of "-j DROP" in the two rules above, or even only in the 150 connections max rule.
If you REJECT the connection the browser or software using port 80 will show a "not available" status immediately, but the DROP option will cause the client to wait and retry a few times before reporting the site as not available. I tend to lean to the DROP myself as it behaves more like a bad connection than an offline server.
Also, if the connection limit drops back down below 150 (or 10) while it is still retrying, then it will finally get through to your server.
The REJECT option will cause a fraction less traffic to your site however, as DROP will cause it to send additional packets while it retries. Probably not all that relevant.
If on the other hand your port 80 traffic is part of a cluster then REJECT will tell the cluster controller that it's down and to stop sending traffic to it for the duration of it's retry timeout.
The RELATED,ESTABLISHED rule is there under the assumption your default rule is to block all traffic (iptables -t filter -P INPUT DROP). This just accepts futher packets belonging to accepted connections.
Also --syn tells it to pay attention to (or count) the packets that set up a TCP connection.
answered Jul 10 '14 at 9:09
Ian MacintoshIan Macintosh
62139
edited Aug 6 '14 at 8:08
answered Jul 10 '14 at 9:09
Ian MacintoshIan Macintosh
62139
answered Jul 10 '14 at 9:09
Ian MacintoshIan Macintosh
62139
answered Jul 10 '14 at 9:09
Ian MacintoshIan Macintosh
62139
62139
Thanks for walking through the minutia of these commands.
– txyoji
Feb 19 '16 at 20:30
Can i get --connlimit-mask to only block that specific IP address and not an entire range ?
– Analog
Feb 26 '16 at 16:55
The --connlimit-mask 32 is a single address limit. Ie, it is like a /32 netmask. Anything less, like 24 is like a /24 netmask, ignoring the lower 8 bits.
– Ian Macintosh
Feb 26 '16 at 20:39
add a comment |
Thanks for walking through the minutia of these commands.
– txyoji
Feb 19 '16 at 20:30
Can i get --connlimit-mask to only block that specific IP address and not an entire range ?
– Analog
Feb 26 '16 at 16:55
The --connlimit-mask 32 is a single address limit. Ie, it is like a /32 netmask. Anything less, like 24 is like a /24 netmask, ignoring the lower 8 bits.
– Ian Macintosh
Feb 26 '16 at 20:39
Thanks for walking through the minutia of these commands.
– txyoji
Feb 19 '16 at 20:30
Thanks for walking through the minutia of these commands.
– txyoji
Feb 19 '16 at 20:30
Can i get --connlimit-mask to only block that specific IP address and not an entire range ?
– Analog
Feb 26 '16 at 16:55
Can i get --connlimit-mask to only block that specific IP address and not an entire range ?
– Analog
Feb 26 '16 at 16:55
The --connlimit-mask 32 is a single address limit. Ie, it is like a /32 netmask. Anything less, like 24 is like a /24 netmask, ignoring the lower 8 bits.
– Ian Macintosh
Feb 26 '16 at 20:39
The --connlimit-mask 32 is a single address limit. Ie, it is like a /32 netmask. Anything less, like 24 is like a /24 netmask, ignoring the lower 8 bits.
– Ian Macintosh
Feb 26 '16 at 20:39
add a comment |
You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
/sbin/iptables -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 10 -j DROP
edited Jun 26 '14 at 12:58
slm♦
251k67528685
answered Jun 26 '14 at 8:56
Raman_SinghRaman_Singh
512
I updated your answer, i hope it's still OK (why is "--syn " needed?). +And how about the "The maximum connection per second (port 80, tcp) to 150"? Thank you!
– evachristine
Jun 26 '14 at 12:39
--syn means that the rule only looks at TCP packets with the syn flag - which means new connections. You could do roughly the same with -m state --state NEW, but this is probably faster.
– Dan Pritts
Jun 3 '15 at 15:47
add a comment |
You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
/sbin/iptables -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 10 -j DROP
edited Jun 26 '14 at 12:58
slm♦
251k67528685
answered Jun 26 '14 at 8:56
Raman_SinghRaman_Singh
512
I updated your answer, i hope it's still OK (why is "--syn " needed?). +And how about the "The maximum connection per second (port 80, tcp) to 150"? Thank you!
– evachristine
Jun 26 '14 at 12:39
--syn means that the rule only looks at TCP packets with the syn flag - which means new connections. You could do roughly the same with -m state --state NEW, but this is probably faster.
– Dan Pritts
Jun 3 '15 at 15:47
add a comment |
You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
/sbin/iptables -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 10 -j DROP
edited Jun 26 '14 at 12:58
slm♦
251k67528685
answered Jun 26 '14 at 8:56
Raman_SinghRaman_Singh
512
You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
/sbin/iptables -I INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 10 -j DROP
edited Jun 26 '14 at 12:58
slm♦
251k67528685
answered Jun 26 '14 at 8:56
Raman_SinghRaman_Singh
512
edited Jun 26 '14 at 12:58
slm♦
251k67528685
edited Jun 26 '14 at 12:58
slm♦
251k67528685
edited Jun 26 '14 at 12:58
slm♦
251k67528685
251k67528685
answered Jun 26 '14 at 8:56
Raman_SinghRaman_Singh
512
answered Jun 26 '14 at 8:56
Raman_SinghRaman_Singh
512
answered Jun 26 '14 at 8:56
Raman_SinghRaman_Singh
512
512
I updated your answer, i hope it's still OK (why is "--syn " needed?). +And how about the "The maximum connection per second (port 80, tcp) to 150"? Thank you!
– evachristine
Jun 26 '14 at 12:39
--syn means that the rule only looks at TCP packets with the syn flag - which means new connections. You could do roughly the same with -m state --state NEW, but this is probably faster.
– Dan Pritts
Jun 3 '15 at 15:47
add a comment |
I updated your answer, i hope it's still OK (why is "--syn " needed?). +And how about the "The maximum connection per second (port 80, tcp) to 150"? Thank you!
– evachristine
Jun 26 '14 at 12:39
--syn means that the rule only looks at TCP packets with the syn flag - which means new connections. You could do roughly the same with -m state --state NEW, but this is probably faster.
– Dan Pritts
Jun 3 '15 at 15:47
I updated your answer, i hope it's still OK (why is "--syn " needed?). +And how about the "The maximum connection per second (port 80, tcp) to 150"? Thank you!
– evachristine
Jun 26 '14 at 12:39
I updated your answer, i hope it's still OK (why is "--syn " needed?). +And how about the "The maximum connection per second (port 80, tcp) to 150"? Thank you!
– evachristine
Jun 26 '14 at 12:39
--syn means that the rule only looks at TCP packets with the syn flag - which means new connections. You could do roughly the same with -m state --state NEW, but this is probably faster.
– Dan Pritts
Jun 3 '15 at 15:47
--syn means that the rule only looks at TCP packets with the syn flag - which means new connections. You could do roughly the same with -m state --state NEW, but this is probably faster.
– Dan Pritts
Jun 3 '15 at 15:47
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f139285%2flimit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
