iptables limit per IP per minute

no_root_no_cry · 12-24-2013, 04:18 AM

I'm trying to limit connections per IP address to N per minute (or second) but I have problems with iptables (as always).
Here are my adventures:

Code:

uname -a
	Linux … 2.6.32-042stab076.8 #1 SMP Tue May 14 … 2013 i686 GNU/Linux

lsb_release -a
	…
	Description:	Debian GNU/Linux 6.0.8 (squeeze)
	Release:	6.0.8

iptables --version
	iptables v1.4.8

iptables -S
	-P INPUT ACCEPT
	-P FORWARD ACCEPT
	-P OUTPUT ACCEPT

# /sbin/iptables -v -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
	tcp opt -- in eth0 out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 state NEW recent: SET name: DEFAULT side: source
	iptables: No chain/target/match by that name.

# /sbin/iptables -v -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
	tcp opt -- in eth0 out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 state NEW recent: SET name: DEFAULT side: source
	iptables: No chain/target/match by that name.

# /sbin/iptables -v -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
	REJECT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 flags:0x17/0x02 #conn/32 > 5 reject-with tcp-reset
	iptables: No chain/target/match by that name.

# /sbin/iptables -v -I INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
	ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 state NEW limit: avg 5/min burst 10

# iptables -S
	-P INPUT ACCEPT
	-P FORWARD ACCEPT
	-P OUTPUT ACCEPT
	-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m limit --limit 5/min --limit-burst 10 -j ACCEPT

perl test.pl
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK

# /sbin/iptables -v -A INPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset
	REJECT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 reject-with tcp-reset

# iptables -S
	-P INPUT ACCEPT
	-P FORWARD ACCEPT
	-P OUTPUT ACCEPT
	-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m limit --limit 5/min --limit-burst 10 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset

perl test.pl
	Connection refused at test.pl line 22.

# iptables -v -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit 45/sec --hashlimit-burst 60 --hashlimit-mode srcip --hashlimit-name DDOS --hashlimit-htable-size 32768 --hashlimit-htable-max 32768 --hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 100000 -j ACCEPT
	FATAL: Could not load /lib/modules/2.6.32-042stab076.8/modules.dep: No such file or directory
	FATAL: Could not load /lib/modules/2.6.32-042stab076.8/modules.dep: No such file or directory
	ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 limit: up to 45/sec burst 60 mode srcip htable-size 32768 htable-max 32768 htable-expire 100000
	iptables: No chain/target/match by that name.

Can anyone help?

sag47 · 12-24-2013, 11:39 PM

http://www.linuxquestions.org/questi...1/#post4512449

I covered it in one of my blog posts.

no_root_no_cry · 12-25-2013, 11:43 AM

Thank you for your reply!
Perhaps your blog post is very helpful but it doesn't solve my problem.
Here is the result of executing the commands:

Code:

# iptables -A INPUT -i eth0 -p tcp --dport 5060 -m state --state NEW -m recent --setiptables: No chain/target/match by that name.
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --setiptables: No chain/target/match by that name.

sag47 · 12-25-2013, 03:06 PM

You haven't given very much information. What chains are available?

Code:

iptables -nL

Have you read the iptables man page of the system you're using to ensure the options you're passing are valid? What is the system (OS/version)? Have you read your OS documentation on configuring iptables? Many distros post distro-specific documentation to assist their users.