Iptables Limits Connections Per IP

by on February 7, 2010 · 34 comments· LAST UPDATED February 9, 2010

in

How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?

You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).

This is useful to protect your server or vps box against flooding, spamming or content scraping.

Syntax

The syntax is as follows:

/sbin/iptables -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above N -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Example: Limit SSH Connections Per IP / Host

Only allow 3 ssg connections per client host:

/sbin/iptables  -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Example: Limit HTTP Connections Per IP / Host

Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):

WARNING! Please note that large proxy servers may legitimately create a large number of connections to your server. You can skip those ips using ! syntax
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Skip proxy server IP 1.2.3.4 from this kind of limitations:

/sbin/iptables -A INPUT -p tcp --syn --dport 80 -d ! 1.2.3.4 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

Example: Class C Limitations

In this example, limit the parallel http requests to 20 per class C sized network (24 bit netmask)

/sbin/iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page
service iptables save

Example: Limit Connections Per Second

The following example will drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)

#!/bin/bash
IPT=/sbin/iptables
# Max connection in seconds
SECONDS=100
# Max connections per IP
BLOCKCOUNT=10
# ....
# ..
# default action can be DROP or REJECT
DACTION="DROP"
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
# ....
# ..

How Do I Test My Firewall Working?

Use the following shell script to connect to your web server hosted at 202.1.2.3:

#!/bin/bash
ip="202.1.2.3"
port="80"
for i in {1..100}
do
  # do nothing just connect and exit
  echo "exit" | nc ${ip} ${port};
done
 

References:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 34 comments… read them below or add one }

1 Meska February 8, 2010 at 11:35 am

Usefull, as always ;)
Great tips.

Reply

2 XxRa3eDxX February 8, 2010 at 1:29 pm

thnx For You

it’s Good ,, but some of DDos Attack Can Bypass This Rule or it’s Very Fast To Be rejected or ignored

can You Give me Your opinion on this statement ???

don’t Forget to change “IPT=/sbin/iptales” to “IPT=/sbin/iptables ” ^_^

in this topic and in
http://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html

thnx For You
XxRa3eDxX

Reply

3 iga February 8, 2010 at 1:37 pm

What about this?
[vpsxxx:~$]# /sbin/iptables -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
iptables v1.4.2: no command specified
Try `iptables -h’ or ‘iptables –help’ for more information.

I’m running debian lenny.

regards
iga

Reply

4 gajendra February 8, 2010 at 1:59 pm

Hi,

It is giving error while executing iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 2 -j REJECT

error : ” iptables: Unknown error 4294967295″

Reply

5 nixCraft February 8, 2010 at 2:27 pm

@ iga / gajendra: It was a typo on my part (I forgot to add -A INPUT) to those rules. The faq has been updated. Let me know if you’ve any more problems.

Reply

6 luc15 February 8, 2010 at 2:29 pm

Nice indeed.

Reply

7 gajendra February 8, 2010 at 4:18 pm

My problem is while executing below command
iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 2 -j REJECT
It is giving error ” iptables: Unknown error 4294967295″

Please help me to solve this..

Reply

8 nixCraft February 8, 2010 at 4:37 pm

@gajendra,

This error means either you are using outdated version of iptables or it is not compiled. Another possibility is VPS software which may not support this feature. Are you using direct server or some sort of VPS?

Reply

9 Ganesan AS February 8, 2010 at 8:50 pm

@gajendra,

Replace the character before syn, dport and connlimit parameters with double hiphen (ie –).

Reply

10 vermin February 8, 2010 at 11:42 pm

Thank you for this article. Found it useful.

Reply

11 gandhi June 1, 2010 at 4:42 pm

which linux u used? it doesn’t works on centos :(

Reply

12 jimmy December 12, 2010 at 8:35 pm

hello
this site great website for linux config!!
i am need limit connection users in 8 for download and only 1 file download on time
please help for limit users
thank you

Reply

13 VeselaHouba February 2, 2011 at 12:09 pm

quite important if You want to use this option and getting error:
http://www.mail-archive.com/debian-firewall@lists.debian.org/msg08695.html

Reply

14 rocky March 7, 2011 at 1:18 pm

Hi,

I configured connlimit for port 80 for testing purpose.and then i tried to open more connection then set limit. but rule is not working.

Rocky

Reply

15 maxtox April 23, 2011 at 1:58 pm

Hi guys,

Do you think it’s normal to have more than 162 connections per IP ?

Reply

16 Oliver May 11, 2011 at 5:21 pm

Hi,

I used the last script to test my server, but for some reason the iptables rules wont work, I can still connect more than 20 times in 60 seconds.

I am using CSF .. is there any conflict then?

Thanks
Oliver

Reply

17 Dave October 2, 2011 at 1:38 pm

In order to use this I would need to establish a baseline for how many concurrent connections I need to allow. If I am a large social networking site, for example, I can’t limit concurrent connections to three if I have multiple, possibly hundreds or thousands of users, on a segment, like a dorm, all resolving to a single, or a few IP addresses. How do I measure/audit that?

Reply

18 Josh December 4, 2011 at 9:36 am

@Dave
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

This will give it in a format

$NumberOfConnectionsLastMinute $IP

Reply

19 Christian January 6, 2012 at 3:54 pm

Hi,

Very nice guide, it solved a lot of my questions, but i have a new one.

In the case that i want to limit LAN’s computers to my server, what do i do?

Example:
In a C class, computer 1 and 2 limit only 3 connections to a specific port of my server, not the public ip of those computers. Could i block it?

Thanks

Reply

20 alibert January 28, 2012 at 10:27 am

whats missing/wrong when i get

ip-10-234-185-98:~# /sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
iptables: No chain/target/match by that name

Reply

21 Manjeet May 9, 2012 at 9:11 am

Can we make zero connlimit in iptables? what will happen if I make it zero?
-A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 0 -j REJECT –reject-with tcp-reset

Reply

22 amin September 7, 2012 at 7:34 am

ask mr..

where is script for limited /IP address?
and where is Ip address limited?

please reaply mr..

Reply

23 manjeet September 7, 2012 at 1:49 pm

Hi Can you help me to set the chain rule for iptable (linux redhat) requirment is I want to restected client (per client)

connection limmet to destination IP

Request to server is that PDU rate(connection to per IP) shall be per PI. The existing IPtables needs to be enhanced to make

it per source IP of client.

Hi I have a question how to set chain rule in IPTables(linux redhat) Requirement is–>
their is a client and server if one client Request to server then PDU rate(connection to per IP) shall be per maintained . my

existing IPtables had some rules like it has conlimit but its needs to be enhanced to make it per source IP of client ip

iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT

–reject-with tcp-reset

Reply

24 manjeet September 26, 2012 at 5:37 pm

I have this rule on my firewall
iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT
–reject-with tcp-reset
few day ago it was working fine but idk what i am doing wrong but now the time frame of this rule now reset with last request even if it was rejected , just because of it no request com into the system only first 3 request comes in and if I wait for one min then again i am able to send new request in 60 seconds

Reply

25 Carl Hjerpe October 21, 2012 at 6:08 pm

:~# iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 4 -j REJECT –reject-with tcp-reset
iptables: No chain/target/match by that name.

Debian Squeeze

Reply

26 nicolethomson November 10, 2012 at 4:18 am

good writeup.

Could you please light up some more internal’s?

/sbin/iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset

is for all the ip’s,

What should i do, if it is for specific source ip?

Reply

27 manojkumar November 25, 2012 at 12:34 pm

/sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 8 -j REJECT
iptables: Unknown error 18446744073709551615

Am getting ablove error , am running this in one of AWS ec2 machine, I need to limit no of concurrent SSH connections

Please help me

Reply

28 detski sait January 21, 2013 at 7:55 am

Please, let me know, How can I exclude IP from that rule?

Reply

29 liunx March 6, 2013 at 8:55 am

wonderful tutorials!

Reply

30 Heshan June 18, 2013 at 9:27 pm

I want to limit traffic from a specific IP address. As an example, only serve requests from IP address xxx.xxx.xxx.56, in 10 requests per second. Can I do it with IP tables? If so how?

Reply

31 Not necessary August 20, 2013 at 4:12 pm

How can i donate? I’ve been looking for this since forever. Thank you so much!

Reply

32 Alexander September 11, 2013 at 7:19 am

Nice post, it helped me a lot !

One question though, how long stay’s an IP blocked by this rule.. It used the test script from another location and the rules seems to work very well :-) But when do I have access again ?

Reply

33 Josiah Ritchie October 3, 2013 at 6:46 pm

To test this stuff out on web servers, I find the easiest thing is to run ‘wget -m http://location‘ which is just wget’s mirror command. It pulls down the entire site until the rules stop responding.

Reply

34 Edward Fernando May 6, 2014 at 6:42 am

Hi Guys.. I wanna know,
I want to use limit TCP connection via router so I used chain FORWARD. Can iptables limit TCP connection with port 80 in 40 max connection in 1 minute ( 60 seconds ) ? If it can be happen, how I can monitoring the traffic that the rule is work ? thx :)

NB :
this my rule I wanna use :

iptables -A FORWARD -p tcp –dport 80 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -A FORWARD -p tcp –dport 80 -m state –state NEW -m recent –update –seconds 60 –hitcount 40 -j REJECT –reject-with tcp-reset

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: