ytd

[Log in to get rid of this advertisement]

Ok, so here's the thing. It's a bit complicated, I gues.

I have a http server and I have many connections (over 1000 connections per day) to it on port 80. Sometimes the http server dosen't work no more 'cause there are some IP's that access my server with more than 15 connections per second.

The chain INPUT has the default policy to accept any connection.

I did:

iptables -I INPUT -s bannedip -p tcp --dport 80 -j DROP

This works fine, I have banned 5 ip's so far and the http server is working fine now, it dosen't block no more. But I have another problem. On the same server which is running the http server I have a ftp server (vsftpd) and again, I have many connections to the ftp server (tons of connections) and it's like... unconfortable for me to ban them 'cause on ftp server there are other banned IP's than the banned http IP's and after a couple oh hours the ip is changing and when i'm not at home, I can't block any ip's no more, and the server is blocked.

I thought abnout having the chain INPUT policy deny / reject as default, but that can't be done 'cause then I will have to allow all ip's for http port (80) and then if I get over 15 connections per second from an IP I can't block it no more 'cause I already allowed 0/0 ip's on port 80.

So what can be done ?

I saw on the internet that some programs (i'm not sure about vsftpd) have on the *.conf this thing:

AuthName "Site Administration"
AuthUserFile /home/user/askapache.com/.htpasswd
AuthType basic
Require valid-user
Order deny,allow
Deny from all
Allow from (my LAN IP)
Satisfy Any

Forgot to tell that I ONLY need ftp acces only from my LAN not WAN.

So, is there a way that I could deny some IP's for port 21 not from iptables but from the configuration of the vsftpd ?

Is that example good enough ? DOes it work if I write that information there ? OMG i'm so stupid... why do I have to ask, I can test that myself. rotfl...


Oh, well... in case it dosen't work, i'm like... waiting for an answer here, or something.

zhjim

You can limit the connections per IP with the connlimit module of iptables

This limits every ip to only 2 connections. Maybe a log line above might be useful.

If you need the ftp only from within why don't you just shut access from the wan?
Or if you just have all the policies set to deny

ytd

Hi,

The first command dosen't work.

[root@xxx ~]# iptables -I INPUT -p tcp --dport 80 -m connlimit --conlimit-above 2 -j DROP
iptables v1.2.11: Unknown arg `--conlimit-above'
Try `iptables -h' or 'iptables --help' for more information.
[root@xxx ~]#


The second command isn't possible 'cause it has one interface (one single ip) and I access the server from my LAN and the server is in DMZ.

PS: The deny from and allow from ip bla bla bal dosen't work in vsftpd configuration. After I change in configuration and after I restart the vsftpd the vsftpd sais that it cannot start.

PS2: I see that in your first command you spelled conn with double n and then with a single n. It dosen't work eitherway.

ytd

rotfl i'm so fu*king smart =))

The server is in DMZ but i'm in LAN and there's a gateway between us. Look what I did:

[root@xxx ~]# iptables -I INPUT -i LAN GW -p tcp --dport 21 -j ACCEPT
[root@xxx ~]#
[root@xxx ~]#
[root@xxx ~]#
[root@xxx ~]# iptables -I INPUT -i WAN -p tcp --dport 21 -j DROP

rotfl it's working )

tyvm mate !

zhjim

There you go Just a punch in the right direction and your flying

I had a typo within the second --connlimit. It's with double n. I just wrote this from the man page so no clue if there are more typos. But for sure see if you have the needed modules loaded. Either with lsmod or inside the /proc/net directory

Cheers Zhjim

ytd

rotflmao that was a good 1

Anyway, it dosen't work. After I added those rules, the iptables looks like this:

iptables -L

DROP tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp


So it's obviously that id dosen't work. There are two rules that are contradicting themselves. What should I do, this su*ks.

PS: Should I create a virtual eth ?

zhjim

no need for a virtual device. The -i argument to iptables names the interface. Use --source (-s) to limit the source ip