Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

6.7. Using nftables to limit the amount of connections

You can use nftables to limit the number of connections or to block IP addresses that attempt to establish a given amount of connections to prevent them from using too many system resources.

6.7.1. Limiting the number of connections using nftables

The ct count parameter of the nft utility enables administrators to limit the number of connections. The procedure describes a basic example of how to limit incoming connections.

Prerequisites

  • The base example_chain in example_table exists.

Procedure 6.19. Limiting the number of connections using nftables

  1. Add a rule that allows only two simultaneous connections to the SSH port (22) from an IPv4 address and rejects all further connections from the same IP:
    # nft add rule ip example_table example_chain tcp dport ssh meter 
    example_meter { ip saddr ct count over 2 } counter reject
  2. Optionally, display the meter created in the previous step:
    # nft list meter ip example_table example_meter
    table ip example_table {
      meter example_meter {
        type ipv4_addr
        size 65535
        elements = { 192.0.2.1 : ct count over 2 , 192.0.2.2 : ct count over 2  }
      }
    }
    The elements entry displays addresses that currently match the rule. In this example, elements lists IP addresses that have active connections to the SSH port. Note that the output does not display the number of active connections or if connections were rejected.

6.7.2. Blocking IP addresses that attempt more than ten new incoming TCP connections within one minute

The nftables framework enables administrators to dynamically update sets. This section explains how you use this feature to temporarily block hosts that are establishing more than ten IPv4 TCP connections within one minute. After five minutes, nftables automatically removes the IP address from the deny list.

Procedure 6.20. Blocking IP addresses that attempt more than ten new incoming TCP connections within one minute

  1. Create the filter table with the ip address family:
    # nft add table ip filter
  2. Add the input chain to the filter table:
    # nft add chain ip filter input { type filter hook input priority 0 \; }
  3. Add a set named denylist to the filter table:
    # nft add set ip filter denylist { type ipv4_addr \; flags dynamic, timeout \; timeout 5m \; }
    This command creates a dynamic set for IPv4 addresses. The timeout 5m parameter defines that nftables automatically removes entries after 5 minutes from the set.
  4. Add a rule that automatically adds the source IP address of hosts that attempt to establish more than ten new TCP connections within one minute to the denylist set:
    # nft add rule ip filter input ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
  5. Add a rule that drops all connections from IP addresses in the denylist set:
    # nft add rule ip filter input ip saddr @denylist drop

6.7.3. Additional resources