Linux – iptables rate-limit module problem


I am using iptables' rate-limit module to prevent DoS attack (I know it cannot stop a full scale DDoS but at least it can help with smaller attacks).

In my rules I have something like:

/sbin/iptables -A INPUT -p TCP -m state --state NEW -d --dport 80 -m limit --limit 20/minute --limit-burst 20 -j ACCEPT

It works well until last night when someone was hitting my port 80 non-stop. The connection was being dropped per the rule alright (as shown in the log). However, it also makes the server unavailable to other legitimate users as well.

I don't understand why it happened like that. I thought it would not affect any other users besides the one that is flooding the server.

Is it because iptables was overwhelmed?

Any feedback would be greatly appreciated.

Thank you!

Best Answer

Your rule does not appear to specify any particular origin. After accepting 20 NEW connections in a minute, it stops accepting NEW connections.

You need to use the recent module in order for iptables to remember where the connections are coming from and blocking people that connect too fast from the same address. This takes two rules: one for iptables to "learn" the address, and then one for iptables to see how many times that address has hit the server in the specified time:

/sbin/iptables -A INPUT -p TCP -m state --state NEW -d --dport 80 -m recent --set
/sbin/iptables -A INPUT -p TCP -m state --state NEW -d --dport 80 -m recent --update --seconds 60 --hitcount 20 -j DROP

This article goes into more details.

Related Topic