iptables - set different limits for max connections per IP for different IP ranges - Knowledgebase

Portal Home > Knowledgebase > Articles Database > iptables - set different limits for max connections per IP for different IP ranges

iptables - set different limits for max connections per IP for different IP ranges

Posted by oc-colo, 08-19-2011, 01:46 AM
Hello, I have a custom firewall with iptables that limits the number of connections to port 80 and 443 per IP address, respectively to 10 and 4 connections. The current IP rules looks like: # limit 10 connection per second for port 80 and 4 connection per sec for port 443 iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 10 -j DROP iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 1 --hitcount 4 -j DROP Now I would like to do something more complex. I would like to keep these limits for particular IP ranges. They belong to Google and I would like make sure Google will be able to crawl my website at faster rate and not be blocked. The Google IP ranges are: 64.18.0.0/20 64.233.160.0/19 66.102.0.0/20 66.249.80.0/20 72.14.192.0/18 74.125.0.0/16 173.194.0.0/16 207.126.144.0/20 209.85.128.0/17 216.239.32.0/19 I will also include here the IP ranges of Yahoo and Bing. For all other IPs I would like to have these limits decreased to 3 (for port 80) and 2 (for port 443). I would also increase the locking time from 1 sec to 20 sec. So for all other users these rules will look like: iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 20 --hitcount 3 -j DROP iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 20 --hitcount 2 -j DROP The idea is to have some protection against DDOS in the firewall. My question is: How can I implement this with iptables? I am willing to pay to anyone who can consult me how to do this.
Posted by almanox, 10-07-2011, 03:52 AM
iptables -N CRAWLERS # list crawler networks here iptables -t CRAWLERS -A INPUT -p tcp -s 64.18.0.0/20 --dport 80 -j RETURN iptables -t CRAWLERS -A INPUT -p tcp -s 64.233.160.0/19 --dport 80 -j RETURN # set --seconds 20 --hitcount 3 for all others iptables -t CRAWLERS -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set iptables -t CRAWLERS -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 20 --hitcount 3 -j DROP # here the CRAWRLES chain ends You may also have a look at ipt_iprange module to decrease number of rules # filter out crawler networks iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j CRAWLERS # Set --seconds 1 --hitcount 10 for crawler networks iptables -A INPUT -p tcp -s 64.18.0.0/20 --dport 80 -m state --state NEW -m recent --set iptables -A INPUT -p tcp -s 64.18.0.0/20 --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 10 -j DROP iptables -A INPUT -p tcp -s 64.233.160.0/19 --dport 80 -m state --state NEW -m recent --set iptables -A INPUT -p tcp -s 64.233.160.0/19 --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 10 -j DROP