dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
26
pablo
MVM
join:2003-06-23

pablo to davidsmind

MVM

to davidsmind

Re: Per IP or netblock connection limit with Qmail TCPserver

Hi,

Can you not use `iptables' to limit the number of connections per IP? See »www.cyberciti.biz/faq/ip ··· ts-howto

Cheers,
-pablo

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

1 edit

Brano

MVM

Or fail2ban »www.fail2ban.org

Salty_Peaks
@quadranet.com

Salty_Peaks to pablo

Anon

to pablo
Exactly as Pablo has suggested -- I use this on my MTA, TCP RST is "nice" since they don't end up with half-open connections. I consider these values "sane" and are currently in production use for a Postfix/Dovecot server. Adjust values as necessary obviously.

/usr/sbin/iptables -I INPUT -p tcp --syn --dport 993 -m connlimit --connlimit-above 16 -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -I INPUT -p tcp --syn --dport 465 -m connlimit --connlimit-above 16 -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -I INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above 4 -j REJECT --reject-with tcp-reset
 
Salty_Peaks

Salty_Peaks

Anon

Oh yeah, the 4 connections on dport 25, is 4 connections per IP not 4 cumulative connections for 0.0.0.0 -- here is the man page:

connlimit
       Allows  you  to restrict the number of parallel connections to a server
       per client IP address (or client address block).
 
       --connlimit-upto n
              Match if the number of existing connections is below or equal n.
 
       --connlimit-above n
              Match if the number of existing connections is above n.
 
       --connlimit-mask prefix_length
              Group hosts using the prefix length. For IPv4, this  must  be  a
              number  between  (including)  0  and 32. For IPv6, between 0 and
              128. If not specified, the maximum prefix length for the  appli
              cable protocol is used.
 
       --connlimit-saddr
              Apply the limit onto the source group.
 
       --connlimit-daddr
              Apply the limit onto the destination group.
 
       Examples:
 
       # allow 2 telnet connections per client host
              iptables   -A  INPUT  -p  tcp  --syn  --dport  23  -m  connlimit
              --connlimit-above 2 -j REJECT
 
       # you can also match the other way around:
              iptables  -A  INPUT  -p  tcp  --syn  --dport  23  -m   connlimit
              --connlimit-upto 2 -j ACCEPT
 
       #  limit  the  number of parallel HTTP requests to 16 per class C sized
       source network (24 bit netmask)
              iptables -p tcp --syn --dport 80 -m connlimit  --connlimit-above
              16 --connlimit-mask 24 -j REJECT
 
       #  limit  the number of parallel HTTP requests to 16 for the link local
       network
              (ipv6) ip6tables  -p  tcp  --syn  --dport  80  -s  fe80::/64  -m
              connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT
 
       # Limit the number of connections to a particular host:
              ip6tables  -p  tcp  --syn  --dport 49152:65535 -d 2001:db8::1 -m
              connlimit --connlimit-above 100 -j REJECT