Forum

Results 1 to 4 of 4
  1. #1
    Join Date
    October 2010
    Location
    Mexico
    Posts
    8

    Limit connections per IP with IPTables

    Some people have been messing with the complaint system off the server, connecting many IDs and making complaints to ban users. I dont want to remove the system, but to block number of connections per IP.

    Could anyone help me to limit connections per IP with IPTables on Ubuntu?

    I've been trying with iptables -A INPUT -p udp --dport 8778 -m connlimit --connlimit-above 2 -j REJECT --reject-with icmp-net-unreach -i eth0 and many other variants of this command, but its not working...

  2. #2
    Join Date
    September 2013
    Posts
    3
    iptables -t mangle -A INPUT -p udp -m udp --dport 8778 -m connlimit --connlimit-above 2 -j REJECT

    or

    iptables -I INPUT -p udp -m udp --dport 8778 -m connlimit --connlimit-above 2 -j REJECT

    Ok.

  3. #3
    Join Date
    June 2012
    Posts
    2
    Quote Originally Posted by tapsin View Post
    iptables -t mangle -A INPUT -p udp -m udp --dport 8778 -m connlimit --connlimit-above 2 -j REJECT

    or

    iptables -I INPUT -p udp -m udp --dport 8778 -m connlimit --connlimit-above 2 -j REJECT

    Ok.
    User Datagram Protocol (UDP) connectionless protocol

  4. #4
    Join Date
    February 2012
    Location
    Germany
    Posts
    571
    Well, amplification of the letters does not prove the validity of a comment.

    In fact, iptables internally treats udp packet exchange as connections. If the kernel detects a udp packet from a source tuple (ip address, port) to a destination tuple (ip address, port), it starts internally what it calls a "new" connection. If a packet goes then back from the destination tuple to the source tuple, it declares the udp-connection "established". Both states can be tracked by netfilter/iptables. This functionality is required to make NAT and port forwarding working.

    The OP doesn't seem to care about his thread any more, but his iptables command seems valid and should work if the connlimit module is available (on many hosted vps's it is not). The thread is 2 years old, may be it was made working by recent updates of iptables, however. Or the rule was not entered in the proper location of the rule chain, which we cannot say unless we see the complete ruleset.

    Here is what the connection tracking module of netfilter knows of my 2 connections to my Teamspeak server I opened in 2 tabs in parallel:
    Code:
    $ cat /proc/net/nf_conntrack|grep udp
    
    ipv4     2 udp      17 179 src=xxx.yyy.142.88 dst=aaa.bbb.15.193 sport=55057 dport=9999 src=aaa.bbb.15.193 dst=xxx.yyy.142.88 sport=9999 dport=55057 [ASSURED] mark=0 secmark=0 use=2
    ipv4     2 udp      17 179 src=xxx.yyy.142.88 dst=aaa.bbb.15.193 sport=52525 dport=9999 src=aaa.bbb.15.193 dst=xxx.yyy.142.88 sport=9999 dport=52525 [ASSURED] mark=0 secmark=0 use=2
    If I open a third connection in a third tab, a third entry is added to the /proc/net/nf_conntrack list.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Limit connections per IP with IPTables
    By Distorzion in forum Server Support
    Replies: 0
    Last Post: January 17th, 2012, 10:06 AM
  2. Iptables udp 9987
    By BitUnique in forum Linux / FreeBSD
    Replies: 2
    Last Post: February 9th, 2010, 04:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •