Search code examples
iptables

Why does the iptables connection limit not work?

this is my iptables, everything works fine, except that these IP's with more than 20 connection wont get blocked.

iptables -F
iptables -X

iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 2 -i eth0 -p tcp --dport 6606 -m state --state NEW,RELATED,ESTABLISHED -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -I INPUT 3 -i eth0 -p tcp --dport 6624 -m state --state NEW,RELATED,ESTABLISHED -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -I INPUT 4 -i eth0 -p tcp --dport 6610 -m state --state NEW,RELATED,ESTABLISHED -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -I INPUT 5 -i eth0 -p tcp --dport 6610 -m state --state NEW,RELATED,ESTABLISHED -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -I INPUT 6 -i eth0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -I INPUT 7 -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -I INPUT 8 -i eth0 -m connlimit --connlimit-above 20 -j DROP

iptables -I OUTPUT 1 -o lo -j ACCEPT
iptables -I OUTPUT 2 -o eth0 -p tcp --sport 6606 -m state --state NEW,RELATED,ESTABLISHED -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -I OUTPUT 3 -o eth0 -p tcp --sport 6624 -m state --state NEW,RELATED,ESTABLISHED -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -I OUTPUT 4 -o eth0 -p tcp --sport 6610 -m state --state NEW,RELATED,ESTABLISHED -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -I OUTPUT 5 -o eth0 -p tcp --sport 6610 -m state --state NEW,RELATED,ESTABLISHED -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -I OUTPUT 6 -o eth0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -I OUTPUT 7 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -I OUTPUT 8 -o eth0 -m connlimit --connlimit-above 20 -j DROP

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

What's wrong? Why does connection limit not work?

Solution

  • You're accepting connections without a connlimit specification before the connlimit DROP rule is set.

    Try putting the DROP rule above all the others or specify a --connlimit-upto inside each one of your ACCEPT rules. e.g.

    iptables -A INPUT -i eth0 -p tcp --dport 6606 \
-m state --state NEW,RELATED,ESTABLISHED \
-m connlimit --connlimit-upto 20 -m limit --limit 2/s --limit-burst 4 -j ACCEPT