[NTLUG:Discuss] rate-limiting connections

Richard ntlug at rain4us.net
Mon Feb 8 12:43:09 CST 2010 

There are many documents out there that I've found that discuss 
rate-limiting new connections to a specific port. I thought I understood 
how to do it but in the examples I've seen, there was never an eventual 
accept. Take the following two rules, for example.


#Begin counting connections for rate limiting
-A INPUT -p tcp -m tcp -d 1.2.3.4 --dport 22   -m state --state NEW  -m 
recent --set
# Drop new connections that have exceeded the limit
-A INPUT -p tcp -m tcp -d 1.2.3.4 --dport 22  -m state  --state NEW -m 
recent --update --seconds=190 --hitcount=5 -j DROP 

In the first rule, we are adding to chain INPUT a rule to match packets 
where port = tcp and destinationIP = 1.2.3.4 and destination port = 22.  
We are also matching on table state where state = new, and we are 
matching on table recent where we will begin counting connections from 
this IP via --set.   Now, there are no accepts or denies in this first 
rule. The only function is to begin counting packets, is that correct?

Onto the second rule..
This rule is added to the INPUT chain and matches packets tcp packets 
destined for IP 1.2.3.4 where the destination port = 22.  It also 
matches packets where table state = new and where packets from this ip 
addresses is not in table recent more than 5 times over the past 190 
seconds.

Without entering a discussion about the limit setting of 5 times over 
190 seconds (as that is not the issue) where is it in the above two 
rules that packets are accepted?  Shouldn't a third rule be made to 
accept the packets?  If so, how should that rule be made so that it does 
not invalidate the packet counting? 

The reason I ask is because it seems like not having an accept rule 
means that no one can connect and adding a rule (like the following one) 
below the first two breaks the protection of the rate limiting.

# Accept ssh logon packets that haven't yet been dropped
-A INPUT -p tcp -m tcp -m state -d 1.2.3.4 --dport 22 --state NEW -m 
recent --update -j ACCEPT

Could it possibly be that the recent table should not be referenced here?

-- 
Richard

More information about the Discuss mailing list