Using iptables to rate limit incoming connections
We all know various ways of blocking dictionary attack that happened through ssh such as disabling direct root login, blocking default 22 port etc. Besides this we can also make use of iptables in a smarter way to achieve the result. Lets see how to accomplish this.
We make use of a recent module that add IP addresses to a list, which can then be used in the future to test connection attempts against. Let’s make things clear using an example. Consider the following two iptables command.
# iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
# iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent
–update –seconds 60 –hitcount 4 -j DROP
Here the –set parameter in the first line will make sure that the IP address of the host which initiated the connection will be added to the “recent list”, where it will be tested again in the second rule.
Its in the second rule that actual magic happens
–update flag tests whether the IP address is in the list of recent connections, in our case each new connection on port 22 will be in the list because we used the –set flag to add it in the preceding rule.
–seconds flag is used to make sure that the IP address is only going to match if the last connection was within the time frame given.
–hitcount flag works in a similar way - matching only if the given count of connection attempts is greater than or equal to the number given.
So in total the result of above command is to DROP a connection from an IP address which initiated the connection that has previously been added to the list that sent a packet in the past 60 seconds and sent more than 4 packets in total.
We can change the connection limit by modifying the hit count.
How to redirect port using IPTABLES
You can redirect the port in IPTABLES using the prerouting parameter.
Following is the command you can use to redirect the traffic of port 8080 to port 80.
$ /sbin/iptables -t nat -I PREROUTING -p tcp –dport 8080 -j REDIRECT –to-port 80
$ /etc/init.d/iptables save
$ /etc/init.d/iptables restart
You can change the ports in the above command according to your need.
Enable IPTABLES support in Linux Kernel
You need to recompile kernel to enable IPTABLES support. I am giving the steps to enable IPTABLES support during kernel recompilation.
Get into the kernel source directory:
# cd /usr/local/src/kernel
# make menuconfig
Select the following option (not as a loadable module)
Networking >> Networking options >> Network packet filtering (replaces ipchains) >> Core Netfilter Configuration >> Netfilter Xtables support (required for ip_tables) and select the all following options as modules.
Networking >> Networking options >> Network packet filtering (replaces ipchains) >> IP: Net Filter configurationS >> IP Tables support
# make
# make modules
# make modules_install
# make install
How to redirect port using IPTABLES
You can redirect the port in IPTABLES using the prerouting parameter.
Following is the command you can use to redirect the traffic of port 8080 to port 80.
$ /sbin/iptables -t nat -I PREROUTING -p tcp –dport 8080 -j REDIRECT –to-port 80
$ /etc/init.d/iptables save
$ /etc/init.d/iptables restart
You can change the ports in the above command according to your need.
iptables limit module
Using iptables limit module to limit the the number of connections to the ssh port to 3 per minute.
iptables -A INPUT -p tcp –dport 22 –syn -m limit –limit 1/m –limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 –syn -j DROP
The first line will accept new connections on port 22 provided that IP address hasn’t made more than 3 connection attempts in the last minute. If more than 3 connection attempts have been made within the last minute, then the second line will DROP the connection.
