How to limit the connections from one ip address using iptables
Posted by Mohamed Adam on Tuesday, September 6, 2011
How to limit the connections from one ip address using iptables
The following command will block all the exceeding connections [ more than 3] from any ip address to this machine. This can be used against DDOS attack.
#iptables -A INPUT -p all -m connlimit --connlimit-above 3 -j REJECT
Suppose if you want to block only ssh connections, then use the following command.
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
for allowing 2 telnet connections per client host
#iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
you can also do as give below
#iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
For limiting the number of parallel http requests to 16 per class C sized network (24 bit netmask)
#iptables -A INPUT-p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
#iptables -A INPUT -p all -m connlimit --connlimit-above 3 -j REJECT
Suppose if you want to block only ssh connections, then use the following command.
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
for allowing 2 telnet connections per client host
#iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
you can also do as give below
#iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
For limiting the number of parallel http requests to 16 per class C sized network (24 bit netmask)
#iptables -A INPUT-p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT