Limit incoming connections using iptables per IP

iptables

I need to limit access to some port per IP. Let's say 5 connections per minute – not more.

I've seen iptables recent, connlimit and limit, but all of them are not fitting exactly what I need.

Suppose you have a client trying to connect every second. In my scenario I need to allow 5 packets each minute.

recent: If some IP tries to connect every 1 second, –hitcount 5 will memorize this IP and keep it in the list until no packets comes within –second 60 time. So, it will limit the client permanently in my scenario.

limit: This one limits as I wish with –limit 5/min, but for all IPs – no way to specify this per IP.

connlimit: Limits number of simultaneous connections, not per some time.

In fact, I need a mixture of limit + recent. Who knows how to do it?

Best Answer

Finally managed to do it with recent:

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW \
         -m recent --rcheck --seconds 60 --hitcount 5 --name ssh --rsource \
         -j REJECT --reject-with icmp-port-unreachable

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW \
         -m recent --set --name ssh --rsource

--update will restart the timer again on each receiving packet, but --rcheck will only check it. After 60 seconds the structure is deleted and a new timer is started again.

This is how I got it (I was not looking into sources - too lazy)

Related Question