Iptables Limits Connections Per IP
问题:如何使用IPTABLE来限制一个单一的IP地址链接到服务器25及80端口的链接数量呢?
How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?
You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
This is useful to protect your server or vps box against flooding, spamming or content scraping.
Syntax/语法
The syntax is as follows:
/sbin/iptables -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above N -j REJECT --reject-with tcp-reset # save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save
Example: Limit SSH Connections Per IP / Host
Only allow 3 ssg connections per client host:
/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT # save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save
Example: Limit HTTP Connections Per IP / Host
Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save
Skip proxy server IP 1.2.3.4 from this kind of limitations:
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -d ! 1.2.3.4 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
Example: Class C Limitations
In this example, limit the parallel http requests to 20 per class C sized network (24 bit netmask)
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset # save the changes see iptables-save man page service iptables save
Example: Limit Connections Per Second
The following example will drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)
#!/bin/bash IPT=/sbin/iptables # Max connection in seconds SECONDS=100 # Max connections per IP BLOCKCOUNT=10 # .... # .. # default action can be DROP or REJECT DACTION="DROP" $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} # .... # ..
How Do I Test My Firewall Working?
Use the following shell script to connect to your web server hosted at 202.1.2.3:
#!/bin/bash ip="202.1.2.3" port="80" for i in {1..100} do # do nothing just connect and exit echo "exit" | nc ${ip} ${port}; done
原文出处:^_^转载有理,分享无罪^_^