How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?
You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
This is useful to protect your server or vps box against flooding, spamming or content scraping.
Syntax
The syntax is as follows:
/sbin/iptables -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above N -j REJECT --reject-with tcp-reset # save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save
Example: Limit SSH Connections Per IP / Host
Only allow 3 ssg connections per client host:
/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT # save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save
Example: Limit HTTP Connections Per IP / Host
Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):
WARNING! Please note that large proxy servers may legitimately create a large number of connections to your server. You can skip those ips using ! syntax/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset # save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save
Skip proxy server IP 1.2.3.4 from this kind of limitations:
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -d ! 1.2.3.4 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
Example: Class C Limitations
In this example, limit the parallel http requests to 20 per class C sized network (24 bit netmask)
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset # save the changes see iptables-save man page service iptables save
Example: Limit Connections Per Second
The following example will drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)
#!/bin/bash IPT=/sbin/iptables # Max connection in seconds SECONDS=100 # Max connections per IP BLOCKCOUNT=10 # .... # .. # default action can be DROP or REJECT DACTION="DROP" $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} # .... # ..
How Do I Test My Firewall Working?
Use the following shell script to connect to your web server hosted at 202.1.2.3:
#!/bin/bash ip="202.1.2.3" port="80" for i in {1..100} do # do nothing just connect and exit echo "exit" | nc ${ip} ${port}; done
References:
- Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit)
- man page - iptables
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 29 comments… read them below or add one }
Usefull, as always ;)
Great tips.
thnx For You
it’s Good ,, but some of DDos Attack Can Bypass This Rule or it’s Very Fast To Be rejected or ignored
can You Give me Your opinion on this statement ???
don’t Forget to change “IPT=/sbin/iptales” to “IPT=/sbin/iptables ” ^_^
in this topic and in
http://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html
thnx For You
XxRa3eDxX
What about this?
[vpsxxx:~$]# /sbin/iptables -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
iptables v1.4.2: no command specified
Try `iptables -h’ or ‘iptables –help’ for more information.
I’m running debian lenny.
regards
iga
Hi,
It is giving error while executing iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 2 -j REJECT
error : ” iptables: Unknown error 4294967295″
@ iga / gajendra: It was a typo on my part (I forgot to add -A INPUT) to those rules. The faq has been updated. Let me know if you’ve any more problems.
Nice indeed.
My problem is while executing below command
iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 2 -j REJECT
It is giving error ” iptables: Unknown error 4294967295″
Please help me to solve this..
@gajendra,
This error means either you are using outdated version of iptables or it is not compiled. Another possibility is VPS software which may not support this feature. Are you using direct server or some sort of VPS?
@gajendra,
Replace the character before syn, dport and connlimit parameters with double hiphen (ie –).
Thank you for this article. Found it useful.
which linux u used? it doesn’t works on centos :(
hello
this site great website for linux config!!
i am need limit connection users in 8 for download and only 1 file download on time
please help for limit users
thank you
quite important if You want to use this option and getting error:
http://www.mail-archive.com/debian-firewall@lists.debian.org/msg08695.html
Hi,
I configured connlimit for port 80 for testing purpose.and then i tried to open more connection then set limit. but rule is not working.
Rocky
Hi guys,
Do you think it’s normal to have more than 162 connections per IP ?
Hi,
I used the last script to test my server, but for some reason the iptables rules wont work, I can still connect more than 20 times in 60 seconds.
I am using CSF .. is there any conflict then?
Thanks
Oliver
In order to use this I would need to establish a baseline for how many concurrent connections I need to allow. If I am a large social networking site, for example, I can’t limit concurrent connections to three if I have multiple, possibly hundreds or thousands of users, on a segment, like a dorm, all resolving to a single, or a few IP addresses. How do I measure/audit that?
@Dave
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
This will give it in a format
$NumberOfConnectionsLastMinute $IP
Hi,
Very nice guide, it solved a lot of my questions, but i have a new one.
In the case that i want to limit LAN’s computers to my server, what do i do?
Example:
In a C class, computer 1 and 2 limit only 3 connections to a specific port of my server, not the public ip of those computers. Could i block it?
Thanks
whats missing/wrong when i get
ip-10-234-185-98:~# /sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
iptables: No chain/target/match by that name
Can we make zero connlimit in iptables? what will happen if I make it zero?
-A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 0 -j REJECT –reject-with tcp-reset
ask mr..
where is script for limited /IP address?
and where is Ip address limited?
please reaply mr..
Hi Can you help me to set the chain rule for iptable (linux redhat) requirment is I want to restected client (per client)
connection limmet to destination IP
Request to server is that PDU rate(connection to per IP) shall be per PI. The existing IPtables needs to be enhanced to make
it per source IP of client.
Hi I have a question how to set chain rule in IPTables(linux redhat) Requirement is–>
their is a client and server if one client Request to server then PDU rate(connection to per IP) shall be per maintained . my
existing IPtables had some rules like it has conlimit but its needs to be enhanced to make it per source IP of client ip
iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT
–reject-with tcp-reset
I have this rule on my firewall
iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT
–reject-with tcp-reset
few day ago it was working fine but idk what i am doing wrong but now the time frame of this rule now reset with last request even if it was rejected , just because of it no request com into the system only first 3 request comes in and if I wait for one min then again i am able to send new request in 60 seconds
:~# iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 4 -j REJECT –reject-with tcp-reset
iptables: No chain/target/match by that name.
Debian Squeeze
good writeup.
Could you please light up some more internal’s?
/sbin/iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
is for all the ip’s,
What should i do, if it is for specific source ip?
/sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 8 -j REJECT
iptables: Unknown error 18446744073709551615
Am getting ablove error , am running this in one of AWS ec2 machine, I need to limit no of concurrent SSH connections
Please help me
Please, let me know, How can I exclude IP from that rule?
wonderful tutorials!