How to limit incoming network connections to a certain number per IP and port?

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux
  • iptables firewall (or firewalld)

Issue

  • How to limit incoming network connections to a certain number per IP and port?
  • We have a server application which we configure to accept “X” connections on a certain IP:port. We would like to know if there some kernel tunable which can be used to disallow any connections beyond the number that the application is willing to accept. This way the client application would know right away that it didn’t succeed in connecting to the server application.
  • We would like to ignore requests from any IP address exceeding 200 requests. The preferable solution would be to use the iptables command to define a policy to restrict the number of pending request on a port received from any single IP address.

Resolution

Use the iptables connlimit match.

For example, to restrict to 200 connections per source IP on port 389:

iptables -A INPUT -p tcp --syn --dport 389 -m connlimit --connlimit-above 200 -j DROP

Further examples are given on the manual pages man iptables-extensions (EL7 and later) or man iptables (EL6 and earlier).

The RHEL 7 manual gives examples as follows:

connlimit
  Allows you to restrict the number of parallel connections to a server per
  client IP address (or client address block).

  --connlimit-upto n
    Match if the number of existing connections is below or equal n.

  --connlimit-above n
    Match if the number of existing connections is above n.

  --connlimit-mask prefix_length
    Group hosts using the prefix length. For IPv4, this must be a number between
    (including) 0 and 32. For IPv6, between 0 and 128. If not specified, the
    maximum prefix length for the applicable protocol is used.

  --connlimit-saddr
    Apply the limit onto the source group. This is the default if
    --connlimit-daddr is not specified.

  --connlimit-daddr
    Apply the limit onto the destination group.

  Examples:

  # allow 2 telnet connections per client host
    iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

  # you can also match the other way around:
    iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-upto 2 -j ACCEPT

  # limit the number of parallel HTTP requests to 16 per class C sized source network (24 bit netmask)
    iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT

  # limit the number of parallel HTTP requests to 16 for the link local network
    (ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT

  # Limit the number of connections to a particular host:
    ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m connlimit --connlimit-above 100 -j REJECT

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.