≡ Menu

Iptables Limits Connections Per IP

How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?

You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).

This is useful to protect your server or vps box against flooding, spamming or content scraping.

Syntax

The syntax is as follows:

/sbin/iptables -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above N -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Example: Limit SSH Connections Per IP / Host

Only allow 3 ssg connections per client host:

/sbin/iptables  -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Example: Limit HTTP Connections Per IP / Host

Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):

WARNING! Please note that large proxy servers may legitimately create a large number of connections to your server. You can skip those ips using ! syntax
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Skip proxy server IP 1.2.3.4 from this kind of limitations:

/sbin/iptables -A INPUT -p tcp --syn --dport 80 -d ! 1.2.3.4 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

Example: Class C Limitations

In this example, limit the parallel http requests to 20 per class C sized network (24 bit netmask)

/sbin/iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page
service iptables save

Example: Limit Connections Per Second

The following example will drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)

#!/bin/bash
IPT=/sbin/iptables
# Max connection in seconds
SECONDS=100
# Max connections per IP
BLOCKCOUNT=10
# ....
# ..
# default action can be DROP or REJECT
DACTION="DROP"
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
# ....
# ..

How Do I Test My Firewall Working?

Use the following shell script to connect to your web server hosted at 202.1.2.3:

#!/bin/bash
ip="202.1.2.3"
port="80"
for i in {1..100}
do
  # do nothing just connect and exit
  echo "exit" | nc ${ip} ${port};
done
 

References:

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 35 comments… add one }

  • Meska February 8, 2010, 11:35 am

    Usefull, as always ;)
    Great tips.

  • XxRa3eDxX February 8, 2010, 1:29 pm

    thnx For You

    it’s Good ,, but some of DDos Attack Can Bypass This Rule or it’s Very Fast To Be rejected or ignored

    can You Give me Your opinion on this statement ???

    don’t Forget to change “IPT=/sbin/iptales” to “IPT=/sbin/iptables ” ^_^

    in this topic and in
    http://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html

    thnx For You
    XxRa3eDxX

  • iga February 8, 2010, 1:37 pm

    What about this?
    [vpsxxx:~$]# /sbin/iptables -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
    iptables v1.4.2: no command specified
    Try `iptables -h’ or ‘iptables –help’ for more information.

    I’m running debian lenny.

    regards
    iga

  • gajendra February 8, 2010, 1:59 pm

    Hi,

    It is giving error while executing iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 2 -j REJECT

    error : ” iptables: Unknown error 4294967295″

  • nixCraft February 8, 2010, 2:27 pm

    @ iga / gajendra: It was a typo on my part (I forgot to add -A INPUT) to those rules. The faq has been updated. Let me know if you’ve any more problems.

  • luc15 February 8, 2010, 2:29 pm

    Nice indeed.

  • gajendra February 8, 2010, 4:18 pm

    My problem is while executing below command
    iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 2 -j REJECT
    It is giving error ” iptables: Unknown error 4294967295″

    Please help me to solve this..

  • nixCraft February 8, 2010, 4:37 pm

    @gajendra,

    This error means either you are using outdated version of iptables or it is not compiled. Another possibility is VPS software which may not support this feature. Are you using direct server or some sort of VPS?

  • Ganesan AS February 8, 2010, 8:50 pm

    @gajendra,

    Replace the character before syn, dport and connlimit parameters with double hiphen (ie –).

  • vermin February 8, 2010, 11:42 pm

    Thank you for this article. Found it useful.

  • gandhi June 1, 2010, 4:42 pm

    which linux u used? it doesn’t works on centos :(

  • jimmy December 12, 2010, 8:35 pm

    hello
    this site great website for linux config!!
    i am need limit connection users in 8 for download and only 1 file download on time
    please help for limit users
    thank you

  • VeselaHouba February 2, 2011, 12:09 pm

    quite important if You want to use this option and getting error:
    http://www.mail-archive.com/debian-firewall@lists.debian.org/msg08695.html

  • rocky March 7, 2011, 1:18 pm

    Hi,

    I configured connlimit for port 80 for testing purpose.and then i tried to open more connection then set limit. but rule is not working.

    Rocky

  • maxtox April 23, 2011, 1:58 pm

    Hi guys,

    Do you think it’s normal to have more than 162 connections per IP ?

  • Oliver May 11, 2011, 5:21 pm

    Hi,

    I used the last script to test my server, but for some reason the iptables rules wont work, I can still connect more than 20 times in 60 seconds.

    I am using CSF .. is there any conflict then?

    Thanks
    Oliver

  • Dave October 2, 2011, 1:38 pm

    In order to use this I would need to establish a baseline for how many concurrent connections I need to allow. If I am a large social networking site, for example, I can’t limit concurrent connections to three if I have multiple, possibly hundreds or thousands of users, on a segment, like a dorm, all resolving to a single, or a few IP addresses. How do I measure/audit that?

  • Josh December 4, 2011, 9:36 am

    @Dave
    netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

    This will give it in a format

    $NumberOfConnectionsLastMinute $IP

  • Christian January 6, 2012, 3:54 pm

    Hi,

    Very nice guide, it solved a lot of my questions, but i have a new one.

    In the case that i want to limit LAN’s computers to my server, what do i do?

    Example:
    In a C class, computer 1 and 2 limit only 3 connections to a specific port of my server, not the public ip of those computers. Could i block it?

    Thanks

  • alibert January 28, 2012, 10:27 am

    whats missing/wrong when i get

    ip-10-234-185-98:~# /sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
    iptables: No chain/target/match by that name

  • Manjeet May 9, 2012, 9:11 am

    Can we make zero connlimit in iptables? what will happen if I make it zero?
    -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 0 -j REJECT –reject-with tcp-reset

  • amin September 7, 2012, 7:34 am

    ask mr..

    where is script for limited /IP address?
    and where is Ip address limited?

    please reaply mr..

  • manjeet September 7, 2012, 1:49 pm

    Hi Can you help me to set the chain rule for iptable (linux redhat) requirment is I want to restected client (per client)

    connection limmet to destination IP

    Request to server is that PDU rate(connection to per IP) shall be per PI. The existing IPtables needs to be enhanced to make

    it per source IP of client.

    Hi I have a question how to set chain rule in IPTables(linux redhat) Requirement is–>
    their is a client and server if one client Request to server then PDU rate(connection to per IP) shall be per maintained . my

    existing IPtables had some rules like it has conlimit but its needs to be enhanced to make it per source IP of client ip

    iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
    iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT

    –reject-with tcp-reset

  • manjeet September 26, 2012, 5:37 pm

    I have this rule on my firewall
    iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
    iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT
    –reject-with tcp-reset
    few day ago it was working fine but idk what i am doing wrong but now the time frame of this rule now reset with last request even if it was rejected , just because of it no request com into the system only first 3 request comes in and if I wait for one min then again i am able to send new request in 60 seconds

  • Carl Hjerpe October 21, 2012, 6:08 pm

    :~# iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 4 -j REJECT –reject-with tcp-reset
    iptables: No chain/target/match by that name.

    Debian Squeeze

  • nicolethomson November 10, 2012, 4:18 am

    good writeup.

    Could you please light up some more internal’s?

    /sbin/iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset

    is for all the ip’s,

    What should i do, if it is for specific source ip?

  • manojkumar November 25, 2012, 12:34 pm

    /sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 8 -j REJECT
    iptables: Unknown error 18446744073709551615

    Am getting ablove error , am running this in one of AWS ec2 machine, I need to limit no of concurrent SSH connections

    Please help me

  • detski sait January 21, 2013, 7:55 am

    Please, let me know, How can I exclude IP from that rule?

  • liunx March 6, 2013, 8:55 am

    wonderful tutorials!

  • Heshan June 18, 2013, 9:27 pm

    I want to limit traffic from a specific IP address. As an example, only serve requests from IP address xxx.xxx.xxx.56, in 10 requests per second. Can I do it with IP tables? If so how?

  • Not necessary August 20, 2013, 4:12 pm

    How can i donate? I’ve been looking for this since forever. Thank you so much!

  • Alexander September 11, 2013, 7:19 am

    Nice post, it helped me a lot !

    One question though, how long stay’s an IP blocked by this rule.. It used the test script from another location and the rules seems to work very well :-) But when do I have access again ?

  • Josiah Ritchie October 3, 2013, 6:46 pm

    To test this stuff out on web servers, I find the easiest thing is to run ‘wget -m http://location‘ which is just wget’s mirror command. It pulls down the entire site until the rules stop responding.

  • Edward Fernando May 6, 2014, 6:42 am

    Hi Guys.. I wanna know,
    I want to use limit TCP connection via router so I used chain FORWARD. Can iptables limit TCP connection with port 80 in 40 max connection in 1 minute ( 60 seconds ) ? If it can be happen, how I can monitoring the traffic that the rule is work ? thx :)

    NB :
    this my rule I wanna use :

    iptables -A FORWARD -p tcp –dport 80 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
    iptables -A FORWARD -p tcp –dport 80 -m state –state NEW -m recent –update –seconds 60 –hitcount 40 -j REJECT –reject-with tcp-reset
    
  • Upendra October 3, 2014, 6:03 pm

    When I am trying to skip an IP ( our Public IP ) I am getting error
    Bad argument `1.2.3.4′
    I am using same command as given in above
    /sbin/iptables -A INPUT -p tcp –syn –dport 80 -d ! 1.2.3.4 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
    Please suggest.

Leave a Comment