I have been getting hit pretty hard every day from thousands of requests all from the same few class's of ip addresses. Recently it's taking up all of my MYSQL connections and not allowing any new connection.
I am now trying to configure my firewall to setup a connection limit.
Here are the rules I currently have
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
I have never messed with IPTables before. To me, it looks like this rule
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
is overwriting the connlimit
What I have been trying to do is take off that global accept rule and add in this rule instead
iptables -A INPUT -p tcp -m tcp --dport 80 -m connlimit --connlimit-upto 10 --connlimit-mask 24 -j ACCEPT
I am receiving the error iptables v1.4.7: unknown option `–connlimit-upto' when I try to add this rule. What am I doing wrong?
Updated with fixes
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -m connlimit ! --connlimit-above 20 --connlimit-mask 24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -m connlimit ! --connlimit-above 5 --connlimit-mask 24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -m connlimit ! --connlimit-above 10 --connlimit-mask 24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -m connlimit ! --connlimit-above 10 --connlimit-mask 24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -m connlimit ! --connlimit-above 10 --connlimit-mask 24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -m connlimit ! --connlimit-above 10 --connlimit-mask 24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -m connlimit ! --connlimit-above 10 --connlimit-mask 24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -m connlimit ! --connlimit-above 10 --connlimit-mask 24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -m connlimit ! --connlimit-above 1 --connlimit-mask 24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -m connlimit ! --connlimit-above 2 --connlimit-mask 24 -j ACCEPT
Thanks!!!
Best Answer
It seems you have version 1.4.7 of
iptables
. The--connlimit-upto
option was added in version 1.4.11, it's mentioned in this changelog. Update youriptables
, as it seems a bit dated (2010 March).