- Red Hat Enterprise Linux
- iptables firewall (or firewalld)
- How to limit incoming network connections to a certain number per IP and port?
- We have a server application which we configure to accept “X” connections on a certain IP:port. We would like to know if there some kernel tunable which can be used to disallow any connections beyond the number that the application is willing to accept. This way the client application would know right away that it didn’t succeed in connecting to the server application.
- We would like to ignore requests from any IP address exceeding 200 requests. The preferable solution would be to use the
iptablescommand to define a policy to restrict the number of pending request on a port received from any single IP address.
Use the iptables
For example, to restrict to 200 connections per source IP on port 389:
iptables -A INPUT -p tcp --syn --dport 389 -m connlimit --connlimit-above 200 -j DROP
Further examples are given on the manual pages
man iptables-extensions (EL7 and later) or
man iptables (EL6 and earlier).
The RHEL 7 manual gives examples as follows:
connlimit Allows you to restrict the number of parallel connections to a server per client IP address (or client address block). --connlimit-upto n Match if the number of existing connections is below or equal n. --connlimit-above n Match if the number of existing connections is above n. --connlimit-mask prefix_length Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. For IPv6, between 0 and 128. If not specified, the maximum prefix length for the applicable protocol is used. --connlimit-saddr Apply the limit onto the source group. This is the default if --connlimit-daddr is not specified. --connlimit-daddr Apply the limit onto the destination group. Examples: # allow 2 telnet connections per client host iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT # you can also match the other way around: iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-upto 2 -j ACCEPT # limit the number of parallel HTTP requests to 16 per class C sized source network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT # limit the number of parallel HTTP requests to 16 for the link local network (ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT # Limit the number of connections to a particular host: ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m connlimit --connlimit-above 100 -j REJECT
- Red Hat Enterprise Linux
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.