Leonardo Rodrigues Magalhães wrote:
Hello Guys,
I'm trying to modify my script firewalls for not allowing a LOT of
connections being established on a specific port in a very small period of
time. I know I could easily do this using a rule like:
iptables -A INPUT -p tcp --dport XX -m state --state NEW -m limit --limit
Y/s -j ACCEPT
Altough, with this rule, I would be globally limiting connections for
that specific port in Y connections per second. I would like to know if it's
possible building a rule that would allow, for example, 1 SYN packet per
second PER host. In this case, I wouldnt have a 'global' limit of SYN
packets. In fact, I would have a SYN limitation for EACH host.
Question: is it possible for building a rule like this ? Is there any
filter on patch-o-matic tree that would allow this kind of rule ?
Sincerily,
Leonardo Rodrigues
Soluções IP
iptables -A INPUT -i eth0 -p tcp --syn --dport XX -m iplimit -iplimit-above 10 -j DROP
