Iptables - limit incoming connection
 

Hello Guys!
I'd like to limit the number of ssh connections to my server.
I'd like to do it using the match limit, but i keep being kicked out. Any clue??

here's my rules so far.
iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m limit --limit 3/s --limit-burst 5 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -j LOG --log-level debug --log-prefix "NETFILTER - SSH: "
iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -j REJECT --reject-with tcp-reset

i have done this on the past, using connlimit/hashlimit, but i'd really want to do it using -m limit so i can learn something new.

# OLD RULES (BOTH WORKING)
# -m connlimit
iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m connlimit --connlimit-above 2 -j LOG --log-prefix "NETFILTER - CONNLIMIT: "
iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m connlimit --connlimit-above 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -j ACCEPT

# -m hashlimit
iptables -A INPUT -p tcp --dport 22 -m hashlimit --hashlimit-mode srcip --hashlimit-above 3/minute -j DROP

Hi,

AFAIK connlimit limits the number of active connections, limit limits the number of packets that go through. My first recommendation would be to limit the mlimit rule only to SYN packets. I last used limit quite some time ago, so my knowledge might be a bit rusty, but in nftables I hit this problem a week ago.

S.

Thanks mate, that's enough for me.