|
Ratelimiting with Iptables |
|
|
|
Written by scott
|
|
Wednesday, 10 May 2006 |
The following is a rule I put together to rate limit inbound connections to a Project Gamera server. I like doing this in firewall rules over the internal control mechanisms, since I can apply it to other services:
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix "RATELIMIT: "
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
What this does is track how many times a host will connect to the mail server in 60 seconds, if the number of New connections initiated in 60 seconds exceeds 4, it will log the attempt, and drop the connection.
The first rule sets netfilter to track new connections to port 25, the second rule is optional, this logs attempts that exceed the threshold, and the third line drops any new connections over 4.
Only registered users can write comments.
Please login or register. Powered by AkoComment 2.0.3! |
|
Last Updated ( Tuesday, 27 June 2006 )
|
