Iptables Limits Connections Per IP

Posted on in Categories last updated February 9, 2010

How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?

You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).

This is useful to protect your server or vps box against flooding, spamming or content scraping.

Syntax

The syntax is as follows:

/sbin/iptables -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above N -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Example: Limit SSH Connections Per IP / Host

Only allow 3 ssg connections per client host:

/sbin/iptables  -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Example: Limit HTTP Connections Per IP / Host

Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):

WARNING! Please note that large proxy servers may legitimately create a large number of connections to your server. You can skip those ips using ! syntax
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Skip proxy server IP 1.2.3.4 from this kind of limitations:

/sbin/iptables -A INPUT -p tcp --syn --dport 80 -d ! 1.2.3.4 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

Example: Class C Limitations

In this example, limit the parallel http requests to 20 per class C sized network (24 bit netmask)

/sbin/iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page
service iptables save

Example: Limit Connections Per Second

The following example will drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)

#!/bin/bash
IPT=/sbin/iptables 
# Max connection in seconds
SECONDS=100
# Max connections per IP
BLOCKCOUNT=10
# ....
# ..
# default action can be DROP or REJECT
DACTION="DROP"
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
# ....
# ..

How Do I Test My Firewall Working?

Use the following shell script to connect to your web server hosted at 202.1.2.3:

#!/bin/bash
ip="202.1.2.3"
port="80"
for i in {1..100} 
do
  # do nothing just connect and exit
  echo "exit" | nc ${ip} ${port};
done

References:

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

36 comment

  1. What about this?
    [vpsxxx:~$]# /sbin/iptables -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
    iptables v1.4.2: no command specified
    Try `iptables -h’ or ‘iptables –help’ for more information.

    I’m running debian lenny.

    regards
    iga

  2. My problem is while executing below command
    iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 2 -j REJECT
    It is giving error ” iptables: Unknown error 4294967295″

    Please help me to solve this..

  3. @gajendra,

    This error means either you are using outdated version of iptables or it is not compiled. Another possibility is VPS software which may not support this feature. Are you using direct server or some sort of VPS?

  4. Hi,

    I used the last script to test my server, but for some reason the iptables rules wont work, I can still connect more than 20 times in 60 seconds.

    I am using CSF .. is there any conflict then?

    Thanks
    Oliver

  5. In order to use this I would need to establish a baseline for how many concurrent connections I need to allow. If I am a large social networking site, for example, I can’t limit concurrent connections to three if I have multiple, possibly hundreds or thousands of users, on a segment, like a dorm, all resolving to a single, or a few IP addresses. How do I measure/audit that?

  6. Hi,

    Very nice guide, it solved a lot of my questions, but i have a new one.

    In the case that i want to limit LAN’s computers to my server, what do i do?

    Example:
    In a C class, computer 1 and 2 limit only 3 connections to a specific port of my server, not the public ip of those computers. Could i block it?

    Thanks

  7. whats missing/wrong when i get

    ip-10-234-185-98:~# /sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
    iptables: No chain/target/match by that name

  8. Can we make zero connlimit in iptables? what will happen if I make it zero?
    -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 0 -j REJECT –reject-with tcp-reset

  9. Hi Can you help me to set the chain rule for iptable (linux redhat) requirment is I want to restected client (per client)

    connection limmet to destination IP

    Request to server is that PDU rate(connection to per IP) shall be per PI. The existing IPtables needs to be enhanced to make

    it per source IP of client.

    Hi I have a question how to set chain rule in IPTables(linux redhat) Requirement is–>
    their is a client and server if one client Request to server then PDU rate(connection to per IP) shall be per maintained . my

    existing IPtables had some rules like it has conlimit but its needs to be enhanced to make it per source IP of client ip

    iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
    iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT

    –reject-with tcp-reset

  10. I have this rule on my firewall
    iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
    iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT
    –reject-with tcp-reset
    few day ago it was working fine but idk what i am doing wrong but now the time frame of this rule now reset with last request even if it was rejected , just because of it no request com into the system only first 3 request comes in and if I wait for one min then again i am able to send new request in 60 seconds

  11. :~# iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 4 -j REJECT –reject-with tcp-reset
    iptables: No chain/target/match by that name.

    Debian Squeeze

  12. good writeup.

    Could you please light up some more internal’s?

    /sbin/iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset

    is for all the ip’s,

    What should i do, if it is for specific source ip?

  13. /sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 8 -j REJECT
    iptables: Unknown error 18446744073709551615

    Am getting ablove error , am running this in one of AWS ec2 machine, I need to limit no of concurrent SSH connections

    Please help me

  14. I want to limit traffic from a specific IP address. As an example, only serve requests from IP address xxx.xxx.xxx.56, in 10 requests per second. Can I do it with IP tables? If so how?

  15. Nice post, it helped me a lot !

    One question though, how long stay’s an IP blocked by this rule.. It used the test script from another location and the rules seems to work very well :-) But when do I have access again ?

  16. Hi Guys.. I wanna know,
    I want to use limit TCP connection via router so I used chain FORWARD. Can iptables limit TCP connection with port 80 in 40 max connection in 1 minute ( 60 seconds ) ? If it can be happen, how I can monitoring the traffic that the rule is work ? thx :)

    NB :
    this my rule I wanna use :

    iptables -A FORWARD -p tcp –dport 80 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
    iptables -A FORWARD -p tcp –dport 80 -m state –state NEW -m recent –update –seconds 60 –hitcount 40 -j REJECT –reject-with tcp-reset
    
  17. When I am trying to skip an IP ( our Public IP ) I am getting error
    Bad argument `1.2.3.4′
    I am using same command as given in above
    /sbin/iptables -A INPUT -p tcp –syn –dport 80 -d ! 1.2.3.4 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
    Please suggest.

Leave a Comment