Iptables - limit incoming connection
Hello Guys!
I'd like to limit the number of ssh connections to my server. I'd like to do it using the match limit, but i keep being kicked out. Any clue?? here's my rules so far. iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m limit --limit 3/s --limit-burst 5 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -j LOG --log-level debug --log-prefix "NETFILTER - SSH: " iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -j REJECT --reject-with tcp-reset i have done this on the past, using connlimit/hashlimit, but i'd really want to do it using -m limit so i can learn something new. # OLD RULES (BOTH WORKING) # -m connlimit iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m connlimit --connlimit-above 2 -j LOG --log-prefix "NETFILTER - CONNLIMIT: " iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m connlimit --connlimit-above 2 -j REJECT --reject-with tcp-reset iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -j ACCEPT # -m hashlimit iptables -A INPUT -p tcp --dport 22 -m hashlimit --hashlimit-mode srcip --hashlimit-above 3/minute -j DROP |
Hi,
AFAIK connlimit limits the number of active connections, limit limits the number of packets that go through. My first recommendation would be to limit the mlimit rule only to SYN packets. I last used limit quite some time ago, so my knowledge might be a bit rusty, but in nftables I hit this problem a week ago. S. |
Thanks mate, that's enough for me.
|
All times are GMT -5. The time now is 10:18 AM. |