How to use iptables to rate-limit packet storms

Network Probes are part and parcel of being on the Internet, some of them are just “port probes”, some are more malicious, being a constant stream of attempts to login to a service, either way Linux provides a way to limit or ‘throttle’ the rate of these undesirable connections and TCP sessions to your servers, through the IP Tables ‘Limit’ module.

Here’s a quick list of iptables commands that you can load to restrict connections to (say) a POP3 Mail Server port and please contact us if you’d like more information or help with setting up some Rate Limiting on your Network Presence server (VPS or Colo).

1) Confirm your iptables has the ‘limit’ module available by getting it loaded to list its ‘help’ command list with:

iptables -m connlimit --help

If that errors, then you may not (yet) have the Connection Limit module installed to your iptables and please check your Linux distribution’s Repositories to install the module (it’s available for most Linux Distributions).

Do note that the following rules do also require the ‘Connection Tracking’ (conntrack) iptables module as well.

2) The methodology is to load limit logging and drop rules to the top of the INPUT chain, viz:

iptables -I INPUT 1 -p tcp -m tcp --dport 110 --syn -m connlimit --connlimit-above 3 -j LOG --log-prefix RATELIMIT_POP3
iptables -I INPUT 2 -p tcp -m tcp --dport 110 --syn -m connlimit --connlimit-above 3 -j DROP

The above will limit new connections to the POP3 server port (110) and over-rate connections will be logged with a ‘tag’ of “RATELIMIT_POP3” (so they can be easily identified) and then those new connection packets will be dropped.

If you’d like more information or help on loading IP Tables rules and rate limits, please feel free to contact us.

FYI and regards,
Richard.

This entry was posted in Network Presence and tagged , , . Bookmark the permalink.

One Response to How to use iptables to rate-limit packet storms

  1. richard says:

    Quick update is that some customers have found a –connlimit-above to be between 3 and 30 to work really well in the end for different protocols with this IPTables module.

    eg: 30 for active POP3 and IMAP based mail servers, but 3 for SSH..

    FYI,
    Richard.

Comments are closed.