Below is an example of rules used to block too many TCP connection attempts to port 25 (SMTP):
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -s ! 1.2.3.0/24 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j LOG --log-prefix "rate-limit-drop "
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -s ! 1.2.3.0/24 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 5 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -s ! 1.2.3.0/24 -m state --state NEW -m recent --set
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -s ! 1.2.3.0/24 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 5 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -s ! 1.2.3.0/24 -m state --state NEW -m recent --set
On RedHat-like systems add this to /etc/sysconfig/iptables just above -A INPUT -j RH-Firewall-1-INPUT line, and do service iptables reload. When you run iptables -L -v -n you should see new rules at the top of output.
-s ! 1.2.3.0/24 prevents our own company network from being blocked. 1.2.3.0/24 is an example address, it can be internal or external (public) network address. You can even remove this if you don't need it.
--seconds 60 --hitcount 5 allows client to make only 5 TCP connections per minute.
More documentation:
- man iptables
- http://snowman.net/projects/ipt_recent/
No comments:
Post a Comment