Image

Knowledge base → Setting up iptables for connection limit

[Virtual servers]
Date of publication: 27.01.2023

In order to protect the server and services from flooding at the operating system level, you need to configure a firewall, set limits on the number of simultaneous connections, we will look at restrictions on some services. By analogy, you can add rules for your services by substituting the necessary ports.

ICMP

To protect yourself from icmp flood, you need to add a limit on the number of pings per second:

-A INPUT -p icmp -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 4 --hashlimit-name icmp -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

In this example, we are allowing a maximum of 4 pings, with a maximum of 6 per second.

HTTP and HTTPS

The rules limit the number of simultaneous connections, this number can be adjusted to suit your traffic, and it should be noted that the value must be greater than in the rules of the ddos deflate service.

-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 500 --connlimit-mask 32 -j REJECT --reject-with tcp -reset
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 500 --connlimit-mask 32 -j REJECT --reject-with tcp -reset

SSH

We recommend changing the default port from 22 to another, for example 3022, etc. Since there are so many attempts to guess passwords, most of the connections are made to the ssh service.

-A INPUT -p tcp -m tcp --dport 3022 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 5 --connlimit-mask 32 -j REJECT --reject-with tcp -reset

If you have other services, such as mail, create rules in a similar way.





No Comments Yet