Iptables tips and tricks

From LinuxReviews
Jump to: navigation, search

[edit] Limiting the number of connections

If you are using SSH then you will sooner or later notice someone trying to hack into your box using dictionary attacks.

You can use the iptables module recent to limit a minimum time between new connections from the same IP.

To make this work, you should have this commonly used rule (this allows previously established connections and is a normal rule in most firewalls):

 iptables -A INPUT -j ACCEPT -p tcp ! --syn -s 0/0 -d (outer ip/net)

Now, to set the limit:

 iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
 iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

These two rules makes iptables require 15 seconds between new connections from the same IP on port 22 (the SSH port). Use ACCEPT instread if you are using a firewall that has it's own rule for accepting ssh.

Another way of limiting dictionary attacks is to limit using -m limit --limit <rate> like this:

 iptables -A INPUT -p tcp --dport ssh -m limit --limit 3/minute --limit-burst 2 -j ACCEPT 

This rule does the trick of setting a limit of 3 connectoins pr minute, but the first two connections will exhaust the limit-burst, so the rule effectively limits the connection attempt rate to 1/minute.

Personal tools
hardware tests
Privacy policy
linux events


linux newz | random page | poetry | free blog