Iptables – Limit incoming connections using iptables per IP

I need to limit access to some port per IP. Let's say 5 connections per minute – not more.

I've seen iptables recent, connlimit and limit, but all of them are not fitting exactly what I need.

Suppose you have a client trying to connect every second. In my scenario I need to allow 5 packets each minute.

recent: If some IP tries to connect every 1 second, –hitcount 5 will memorize this IP and keep it in the list until no packets comes within –second 60 time. So, it will limit the client permanently in my scenario.

limit: This one limits as I wish with –limit 5/min, but for all IPs – no way to specify this per IP.

connlimit: Limits number of simultaneous connections, not per some time.

In fact, I need a mixture of limit + recent. Who knows how to do it?

Best Answer

I think that this is what you need to limit each source IP to a specified rate.

-m hashlimit --hashlimit-mode srcip --hashlimit-upto 5/min

Detailed examples are given in the URL's below.

http://www.mauromascia.com/blog/limiting-concurrent-connections-per-ip/?lang=it

http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation

http://ipset.netfilter.org/iptables-extensions.man.html

Best Answer

Related Solutions

Iptables – Limit maximum incoming connections to a port using iptables

Linux – Limit UDP connections per IP iptables

Related Topic