I'm looking to use Iptables to limit the amount of tcp connections each IP can make per x seconds. But I'm a complete newbie at Iptables. The rule I intend to use for that is:
But with this I got a few questions:
1) if I only add this rule, would iptables still allow all other connections go trough?
2) what would be the best action, drop or reject?
3) what kind of hardware requirements would this have? (for a 100 Mbps connection)

some background info:
I'm working in an environment where soon 15k (external) devices will need to connect to a server every 90 - 300 sec to say "I'm device X and I'm still alive". The amount of devices is expected to grow. But some of the devices may sometimes act a bit up and connect more often. To prevent this from overloading the network/servers I'm looking to limit the amount of tcp connections each device is able to make.

Welcome to LQ Security!

Rate limiting with iptables is usually done in a two step process. As a (working) example, here are the two rules I use to restrict attempts to connect to the SSH port:
Note that it is the first rule that does the actual dropping, while the second rule performs the set that triggers the rule chain. I am also using names for the chains, in my case DEFAULT.
Modifying these two rules for your example gives:
Here is a good introductory link that explains the mechanics of rate limiting with iptables: http://blog.bodhizazen.net/linux/pre...with-iptables/

In answer to your other questions:
1) With these rules, the connections will be allowed to pass through, up to a point. You will need to adjust the rules according to your connections. With these rules, a particular host will be allowed to make 5 connections in 90 seconds, beyond which they will be blocked. If this server, 192.168.19.129 hosts other applications, such as web pages, these rules may impact the operation and in this case you may want to add a field for the port you wish to block.

2)Drop or Reject both work. Drop will be silent, whereas reject will respond with an ICMP message.

3) Any filtering operation will consume CPU cycles. If you implement this filter in the server itself, there will be some load, though it will be very little compared to processing the requests. If you are really concerned you should implement this filter upstream of the server, though I doubt that this will be required. No other "hardware" is required.

1 members found this post helpful.

Thanks for the fast reply.
It'll be a dedicated server, no other services will run on it (actually there will be 2 servers for redundancy).
I was thinking to put a server between the modem and the router. My first question was about that situation. If I put those rules in, will it still allow all other traffic that's not going towards that server?
I only have some expierence in traffic shaping with Cisco IOS, in which you have to add a rule to deny or allow traffic that doesn't matches all previous rules.

While doable, this type of arrangement would be getting more complicated and will require network architecture planning. In order to pass the traffic through the server, you would need to have multiple network interfaces and need to configure the machine as a router (for the rest of the network). By default, no traffic would pass through it, or as you put it, "allow all other traffic that's not going towards that server". IPtables will support this function, but the rule set goes way beyond your filtering application and involves the use of the NAT tables. It would be far simpler to place these machines on a LAN or DMZ segment and use NAT or PAT to send server traffic to the server.

The IPTables rules are similar to Cisco IOS. In fact, you still write rules to explicitly allow or deny traffic, but there is also the default POLICY. A common approach is to set the policy to ACCEPT traffic, write your ACCEPT rules, such as your rate limit rules, and then use a catch-all rule to drop all other traffic. Alternatively you can set the policy to DROP all traffic and then write accept rules, but if you FLUSH the rule set, you can lock yourself out. This is why I prefer the accept policy with a drop rule approach.

1 members found this post helpful.