How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?
You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
This is useful to protect your server or vps box against flooding, spamming or content scraping.
Syntax
The syntax is as follows:
/sbin/iptables -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above N -j REJECT --reject-with tcp-reset # save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save
Example: Limit SSH Connections Per IP / Host
Only allow 3 ssg connections per client host:
/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT # save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save
Example: Limit HTTP Connections Per IP / Host
Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):
WARNING! Please note that large proxy servers may legitimately create a large number of connections to your server. You can skip those ips using ! syntax/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset # save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save
Skip proxy server IP 1.2.3.4 from this kind of limitations:
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -d ! 1.2.3.4 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
Example: Class C Limitations
In this example, limit the parallel http requests to 20 per class C sized network (24 bit netmask)
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset # save the changes see iptables-save man page service iptables save
Example: Limit Connections Per Second
The following example will drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)
#!/bin/bash IPT=/sbin/iptables # Max connection in seconds SECONDS=100 # Max connections per IP BLOCKCOUNT=10 # .... # .. # default action can be DROP or REJECT DACTION="DROP" $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} # .... # .. |
How Do I Test My Firewall Working?
Use the following shell script to connect to your web server hosted at 202.1.2.3:
#!/bin/bash ip="202.1.2.3" port="80" for i in {1..100} do # do nothing just connect and exit echo "exit" | nc ${ip} ${port}; done |
References:
- Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit)
- man page – iptables
36 comment
Usefull, as always ;)
Great tips.
thnx For You
it’s Good ,, but some of DDos Attack Can Bypass This Rule or it’s Very Fast To Be rejected or ignored
can You Give me Your opinion on this statement ???
don’t Forget to change “IPT=/sbin/iptales” to “IPT=/sbin/iptables ” ^_^
in this topic and in
https://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html
thnx For You
XxRa3eDxX
What about this?
[vpsxxx:~$]# /sbin/iptables -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
iptables v1.4.2: no command specified
Try `iptables -h’ or ‘iptables –help’ for more information.
I’m running debian lenny.
regards
iga
Hi,
It is giving error while executing iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 2 -j REJECT
error : ” iptables: Unknown error 4294967295″
@ iga / gajendra: It was a typo on my part (I forgot to add -A INPUT) to those rules. The faq has been updated. Let me know if you’ve any more problems.
Nice indeed.
My problem is while executing below command
iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 2 -j REJECT
It is giving error ” iptables: Unknown error 4294967295″
Please help me to solve this..
@gajendra,
This error means either you are using outdated version of iptables or it is not compiled. Another possibility is VPS software which may not support this feature. Are you using direct server or some sort of VPS?
@gajendra,
Replace the character before syn, dport and connlimit parameters with double hiphen (ie –).
Thank you for this article. Found it useful.
which linux u used? it doesn’t works on centos :(
hello
this site great website for linux config!!
i am need limit connection users in 8 for download and only 1 file download on time
please help for limit users
thank you
quite important if You want to use this option and getting error:
http://www.mail-archive.com/debian-firewall@lists.debian.org/msg08695.html
Hi,
I configured connlimit for port 80 for testing purpose.and then i tried to open more connection then set limit. but rule is not working.
Rocky
Hi guys,
Do you think it’s normal to have more than 162 connections per IP ?
Hi,
I used the last script to test my server, but for some reason the iptables rules wont work, I can still connect more than 20 times in 60 seconds.
I am using CSF .. is there any conflict then?
Thanks
Oliver
In order to use this I would need to establish a baseline for how many concurrent connections I need to allow. If I am a large social networking site, for example, I can’t limit concurrent connections to three if I have multiple, possibly hundreds or thousands of users, on a segment, like a dorm, all resolving to a single, or a few IP addresses. How do I measure/audit that?
@Dave
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
This will give it in a format
$NumberOfConnectionsLastMinute $IP
Hi,
Very nice guide, it solved a lot of my questions, but i have a new one.
In the case that i want to limit LAN’s computers to my server, what do i do?
Example:
In a C class, computer 1 and 2 limit only 3 connections to a specific port of my server, not the public ip of those computers. Could i block it?
Thanks
whats missing/wrong when i get
ip-10-234-185-98:~# /sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
iptables: No chain/target/match by that name
Can we make zero connlimit in iptables? what will happen if I make it zero?
-A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 0 -j REJECT –reject-with tcp-reset
ask mr..
where is script for limited /IP address?
and where is Ip address limited?
please reaply mr..
Hi Can you help me to set the chain rule for iptable (linux redhat) requirment is I want to restected client (per client)
connection limmet to destination IP
Request to server is that PDU rate(connection to per IP) shall be per PI. The existing IPtables needs to be enhanced to make
it per source IP of client.
Hi I have a question how to set chain rule in IPTables(linux redhat) Requirement is–>
their is a client and server if one client Request to server then PDU rate(connection to per IP) shall be per maintained . my
existing IPtables had some rules like it has conlimit but its needs to be enhanced to make it per source IP of client ip
iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT
–reject-with tcp-reset
I have this rule on my firewall
iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT
–reject-with tcp-reset
few day ago it was working fine but idk what i am doing wrong but now the time frame of this rule now reset with last request even if it was rejected , just because of it no request com into the system only first 3 request comes in and if I wait for one min then again i am able to send new request in 60 seconds
:~# iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 4 -j REJECT –reject-with tcp-reset
iptables: No chain/target/match by that name.
Debian Squeeze
good writeup.
Could you please light up some more internal’s?
/sbin/iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
is for all the ip’s,
What should i do, if it is for specific source ip?
/sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 8 -j REJECT
iptables: Unknown error 18446744073709551615
Am getting ablove error , am running this in one of AWS ec2 machine, I need to limit no of concurrent SSH connections
Please help me
Please, let me know, How can I exclude IP from that rule?
wonderful tutorials!
I want to limit traffic from a specific IP address. As an example, only serve requests from IP address xxx.xxx.xxx.56, in 10 requests per second. Can I do it with IP tables? If so how?
How can i donate? I’ve been looking for this since forever. Thank you so much!
Nice post, it helped me a lot !
One question though, how long stay’s an IP blocked by this rule.. It used the test script from another location and the rules seems to work very well :-) But when do I have access again ?
To test this stuff out on web servers, I find the easiest thing is to run ‘wget -m http://location‘ which is just wget’s mirror command. It pulls down the entire site until the rules stop responding.
Hi Guys.. I wanna know,
I want to use limit TCP connection via router so I used chain FORWARD. Can iptables limit TCP connection with port 80 in 40 max connection in 1 minute ( 60 seconds ) ? If it can be happen, how I can monitoring the traffic that the rule is work ? thx :)
NB :
this my rule I wanna use :
When I am trying to skip an IP ( our Public IP ) I am getting error
Bad argument `1.2.3.4′
I am using same command as given in above
/sbin/iptables -A INPUT -p tcp –syn –dport 80 -d ! 1.2.3.4 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
Please suggest.
Hi,
On Example: Limit Connections Per Second.
Can u tell me how to ignore an ip or range ip connect to my server?