Differences

This shows you the differences between two versions of the page.

--- iptables:rate_limiting [2016/07/03 22:17] – peter
+++ iptables:rate_limiting [2019/11/29 17:41] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== IPTables - Rate Limiting ======
-The Netfilter system includes a variety of matchers which we can use to implement rate limiting solutions.  A non-exhaustive list is given below along with a brief description of each module. We shall be covering all of these in turn in the following sections.
-**limit**
-This matcher can be used to limit matching of a rule to a rate specified.  Any rule which includes this matcher will only match while the limit has not been exceeded.
-**connlimit**
-This matcher can be used to limit matching of a rule based on the number of existing active connections from a given host or address block.  Any rule which includes this matcher will only match while the number of connections is above, or below if negated, the number specified.
-**hashlimit**
-This matcher can be used to limit matching of a rule to a rate specified on a per address, or per address-port tuple, basis.  Any rule which includes this matcher will only match while the limit has not been exceeded for the specified source or destination address.
-**recent**
-This matcher can be used to create, update, and perform actions based on the contents of dynamic lists of addresses.  It can be used to create extremely complex rules and is ideal for creating dynamic behaviours such as automated retaliation and port "knocking" activated rules.
-As you can see there is a matcher for pretty much every imaginable scenario.
-===== Simple Rate Limiting =====
-Simple rate limiting is adequate for controlling the size of a log file it is not really suitable for much else. We could use it to limit the number of connection attempts to a particular service in any given period, for example, but as it pays no regard to who is attempting to connect this would just be a recipe for an easy denial of service attack.
-This may sound unnecessary but each log file entry is approximately 200 bytes.  Assuming a rate of 1 log entry per second a log of roughly 16 megabytes can be generated every single day!  This would grow to consume nearly 6 gigabytes of storage after a year.  For this reason any log generating lines should always be limited.
-<code bash>
-iptables -N LOGDROP
-iptables -A LOGDROP -j LOG --log-prefix 'FIREWALL - DROP:' --log-level info
-iptables -A LOGDROP -m limit --limit 1/second --limit-burst 20 \
-   -j LOG --log-prefix 'FIREWALL - DROP:' --log-level info
-iptables -A LOGDROP -j DROP
-</code>
-===== Connection Limiting =====
-Sometimes it can be useful to be able to control the number of simultaneous connections which may be opened to a particular resource from a given host or network.  A good example of this would be the ssh protocol as each connection requires a fairly significant quantity of system resources to maintain.
-As remote shell access is a fairly commonly offered service, and one which it is desirable to exert some level of control over, let's modify our firewall configuration script to only allow a maximum of two simultaneous ssh connections from any address.  This can be done by inserting a rule into our script as shown below.
-<code bash>
-iptables -A TCP-IN-REQ   -p tcp --dport ssh -m state --state NEW \
-   -m connlimit --connlimit-above 2 -j REJECT --reject-with icmp-admin-prohibited
-iptables -A TCP-IN-REQ   -p tcp --dport ssh -m state --state NEW         -j ACCEPT
-iptables -A TCP-IN-REQ   -p tcp --dport ssh -m state --state ESTABLISHED -j ACCEPT
-iptables -A TCP-OUT-RESP -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
-</code>