connlimit lets me limit the number of connections per client/service. How would I go about to combine such a rule with the IP sets available in more recent versions of the Linux kernel and netfilter?
Asked
Active
Viewed 1,515 times
5
0xC0000022L
- 16,189
- 24
- 102
- 168
1 Answers
4
Let's say we have an ipset named MYTESTSET, and that this ipset is of type hash:ip. It will store just ip adresses.
Then match against your IPset and after match against connlimit match extension, with the parameters you want.
iptables -A INPUT -p tcp
-m set --match-set MYTESTSET src
-m connlimit --connlimit-above 1 --connlimit-saddr --connlimit-mask 32
-j DROP
This will do the following: for each source inside the IP set, connections will be counted and if there is more than one (--connlimit-above 1), it will be droped, thus limiting the number of connection per source in the ipset to 1. (You can also match the other way, using --connlimit-upto xxx and -j ACCEPT instead of DROP)
If you want to consider the whole set and allow 1 connection for all sources in the ipset then set the --connlimit-mask switch to 0.
Zimmi
- 181
- 4