I want to perform rate limiting per source IP in iptables. For example, limit the rate at which a host can establish new SSH connections to 5 per minute. To my knowledge there are two ways of doing this:
With the hashlimit module
iptables -A INPUT -p tcp --dport 22 -m state --state NEW \
-m hashlimit --hashlimit-name SSH --hashlimit-above 5/min \
--hashlimit-mode srcip -j REJECT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
With the recent module
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent \
--rcheck --seconds 60 --hitcount 5 --name SSH --rsource -j REJECT
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW \
-m recent --set --name SSH --rsource -j ACCEPT
My questions:
- Is there any difference in how these two will behave?
- With an emphasis on performance, which one is preferable?
- Is there a significant downside to using both modules?
Best Answer
No, what you wrote will functionally do the same thing.
Arguably, recent has better performance because it maintains a table but does not use hash buckets.
I'm not sure why you would use both. You would have the performance impact of using both modules when you only need one.