Linux – Limit UDP connections per IP iptables

firewalliptableslinuxudp

I want to limit connections per IP for a specific UDP port. I got it working for TCP, but somehow it doesn't work on UDP. These are my rules:

For TCP (working)

iptables -A INPUT -p tcp --syn --dport 7787 -m connlimit --connlimit-above 3 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --syn --dport 7788 -m connlimit --connlimit-above 3 -j REJECT --reject-with tcp-reset

For UDP

iptables -A INPUT -p udp --dport 7787 -m connlimit --connlimit-above 3 -j REJECT
iptables -A INPUT -p udp --dport 7788 -m connlimit --connlimit-above 3 -j REJECT

According to the man pages this should work (atleast how I understand it), but I still get flooded by single IP's sometimes.

Best Answer

Your question doesn't make sense, as UDP doesn't really have "connections". There's only one conntrack entry that gets set up for each source IP/port.

Related Solutions

Iptables rule to block incoming/outgoing traffic to a Xen container

This rule worked ion my installation:

iptables -I FORWARD 1 -d [client-ip] -p tcp -m tcp --dport 53 -j DROP
iptables -I FORWARD 1 -d [client-ip] -p udp -m udp --dport 53 -j DROP

Notice that netfilter reads rules top-to-bottom and if you have a rule permitting all traffic to this client above (iptables -A adds rule to the end of the table), this new rule won't be reached and won't have effect.

I didn't understand why you use "state" module if you a listing all valid states? It just uses CPU time and has no effect IMHO.

Next, I'm not sure, what is the goal of blocking traffic, going from port 25. If you client sends ab e-mail, he connects to remote server's port 25 but uses one of local ports (32k..64k by default) on his side. Couldn't you explain, what do you want to get as a result?

Iptables – use iptables to limit the number of concurrent http requests per ip

This sounds to me like a bad idea. All you need is two or three browsers coming from the same ip (e.g. a corporate or home gateway), loading ordinary pages and images, and you'll start to get errors. The errors won't be too pretty, and will tend to generate support calls you don't want to have to deal with.

What you want to do is queue the requests, so that only a small number of worker processes or threads are active at once, so you don't exhaust your ram. Your web server software (eg apache our nginx) should do this for you given appropriate configuration; ask another question about that if necessary.

Best Answer

Related Solutions

Iptables rule to block incoming/outgoing traffic to a Xen container

Iptables – use iptables to limit the number of concurrent http requests per ip

Related Topic