>*raw >:PREROUTING ACCEPT [0:0] >:OUTPUT ACCEPT [0:0] >:limitban - [0:0] >-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban >-A limitban -m set --match-set banned src -j DROP >-A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900 >-A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src >-A limitban -m set --match-set banned src -j DROP >COMMIT >For this ruleset to be loadable, you'll first need to create the ipset that it references. ># ipset create banned hash:ip timeout 1800 Regarding not mentioning the tables, I was using *nat table for the PREROUTING and before tried to use the DROP rules on the *filter table, which was not dropping the traffic. Ok so the ipset suggestion worked! The current setup that worked is putting the DROP rules on the *raw table PREROUTING and the SET rules on the *nat table PREROUTING. Also created 1 ipset for each use case. Thank you very much for the help! On Thu, Oct 31, 2024 at 11:54 AM Francisco Agostinho <f.agostinho123@xxxxxxxxx> wrote: > > >*raw > >:PREROUTING ACCEPT [0:0] > >:OUTPUT ACCEPT [0:0] > >:limitban - [0:0] > >-A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban > >-A limitban -m set --match-set banned src -j DROP > >-A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900 > >-A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src > >-A limitban -m set --match-set banned src -j DROP > >COMMIT > > >For this ruleset to be loadable, you'll first need to create the ipset that it references. > > ># ipset create banned hash:ip timeout 1800 > > Regarding not mentioning the tables, I was using *nat table for the > PREROUTING and before tried to use the DROP rules on the *filter > table, which was not dropping the traffic. > > Ok so the ipset suggestion worked! The current setup that worked is > putting the DROP rules on the *raw table PREROUTING and the SET rules > on the *nat table PREROUTING. Also created 1 ipset for each use case. > > Thank you very much for the help! > > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> > Sem vírus.www.avg.com > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > > On Fri, Oct 25, 2024 at 7:14 PM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote: > > > > On Fri, 25 Oct 2024, at 4:19 PM, Francisco Agostinho wrote: > > > Hello, I'm trying to implement a rate limiting for my machine using > > > iptables. The use case is to do 2 things: > > > > > > 1) block traffic from the same ip+port combination for 15 minutes if > > > it gets more than 10 hits per minute. > > > > > > 2) block traffic from the same ip for 30 minutes if it gets more than > > > 80 hits per minute. > > > > > > For this I'm currently using these rules: > > > > > > 1) -A PREROUTING -p tcp -m tcp -m state --state NEW -m hashlimit > > > --hashlimit-above 10/minute --hashlimit-burst 10 --hashlimit-mode > > > srcip,dstport --hashlimit-name test10 --hashlimit-htable-expire 900000 > > > -j ACCEPT > > > > > > 2) -A PREROUTING -p tcp -m tcp -m state --state NEW -m hashlimit > > > --hashlimit-above 80/minute --hashlimit-burst 80 --hashlimit-mode > > > srcip --hashlimit-name test80 --hashlimit-htable-expire 1800000 -j > > > ACCEPT > > > > Why is --hashlimit-above being combined with a verdict of ACCEPT? > > > > > > > > But it's not quite working, as soon as it gets on the list, if you get > > > another hit the timer gets reset to the default expire time and it > > > gets blocked on the first try even if after the expire. So are there > > > any suggestions on how to achieve the use case or what i'm doing > > > wrong? > > > > I would suggest disentangling all three of the following concerns: > > > > - determining whether a rate limit has been exceeded > > - adding to a set of banned addresses (with attached timeout values) > > - consulting the set to determine whether a given address has been banned > > > > To that end, consider taking advantage of ipsets. Below is a sample ruleset in iptables-save format. > > > > *raw > > :PREROUTING ACCEPT [0:0] > > :OUTPUT ACCEPT [0:0] > > :limitban - [0:0] > > -A PREROUTING ! -i lo -p tcp -m conntrack --ctstate NEW -j limitban > > -A limitban -m set --match-set banned src -j DROP > > -A limitban -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name test10 -j SET --add-set banned src --timeout 900 > > -A limitban -m hashlimit --hashlimit-above 80/min --hashlimit-mode srcip --hashlimit-name test80 -j SET --add-set banned src > > -A limitban -m set --match-set banned src -j DROP > > COMMIT > > > > For this ruleset to be loadable, you'll first need to create the ipset that it references. > > > > # ipset create banned hash:ip timeout 1800 > > > > -- > > Kerin Millar