| | 1 | |
| | 2 | === Limiting the number of connections from any one IP address === |
| | 3 | |
| | 4 | Thanks to Jennifer Spencer for referring me to the page : |
| | 5 | |
| | 6 | https://access.redhat.com/solutions/396273 |
| | 7 | |
| | 8 | which essentially answers this question. |
| | 9 | |
| | 10 | Sometimes a client will try very parallel downloads of SDO data, which can be problematic. As a result |
| | 11 | it can be useful to limit the number of connections from any one IP. To do this, edit the file : |
| | 12 | |
| | 13 | {{{ |
| | 14 | /etc/sysconfig/iptables |
| | 15 | }}} |
| | 16 | |
| | 17 | And add something like this : |
| | 18 | |
| | 19 | {{{ |
| | 20 | # Limit to 5 per IP on port 80 |
| | 21 | -A RH-Firewall-1-INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j DROP |
| | 22 | }}} |
| | 23 | |
| | 24 | That limits the number of simultaneous connections from any one IP to 5. |
| | 25 | |
| | 26 | Then restart iptables : |
| | 27 | |
| | 28 | {{{ |
| | 29 | # service iptables restart |
| | 30 | }}} |
| | 31 | |
| | 32 | Here is an example of that file : |
| | 33 | |
| | 34 | {{{ |
| | 35 | # cat /etc/sysconfig/iptables |
| | 36 | *filter |
| | 37 | :INPUT ACCEPT [0:0] |
| | 38 | :FORWARD ACCEPT [0:0] |
| | 39 | :OUTPUT ACCEPT [378096909:36912540108] |
| | 40 | :RH-Firewall-1-INPUT - [0:0] |
| | 41 | -A INPUT -j RH-Firewall-1-INPUT |
| | 42 | -A FORWARD -j RH-Firewall-1-INPUT |
| | 43 | -A RH-Firewall-1-INPUT -i lo -j ACCEPT |
| | 44 | -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT |
| | 45 | -A RH-Firewall-1-INPUT -s 172.23.19.54 -j ACCEPT |
| | 46 | -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 30000 -j ACCEPT |
| | 47 | -A RH-Firewall-1-INPUT -s 146.5.21.121 -j ACCEPT |
| | 48 | -A RH-Firewall-1-INPUT -s 146.5.21.120 -j ACCEPT |
| | 49 | -A RH-Firewall-1-INPUT -s 128.118.7.56 -j DROP |
| | 50 | -A RH-Firewall-1-INPUT -s 128.118.7.57 -j DROP |
| | 51 | -A RH-Firewall-1-INPUT -s 131.113.97.134 -j DROP |
| | 52 | -A RH-Firewall-1-INPUT -s 122.210.105.211 -j DROP |
| | 53 | # Limit to 5 per IP on port 80 |
| | 54 | -A RH-Firewall-1-INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j DROP |
| | 55 | # |
| | 56 | # Allow 146.5.21.110 (teide.nispdc.nso.edu) in so it can cross mount disks |
| | 57 | -A RH-Firewall-1-INPUT -s 146.5.21.110 -j ACCEPT |
| | 58 | # |
| | 59 | # Same for 146.5.21.60 (shemesh.nispdc.nso.edu) |
| | 60 | -A RH-Firewall-1-INPUT -s 146.5.21.60 -j ACCEPT |
| | 61 | # |
| | 62 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 119.188.50.0-119.188.50.255 -j DROP |
| | 63 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 119.188.12.0-119.188.12.255 -j DROP |
| | 64 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 60.214.64.0-60.214.64.255 -j DROP |
| | 65 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 122.143.6.0-122.143.6.255 -j DROP |
| | 66 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 222.161.212.0-222.161.212.255 -j DROP |
| | 67 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 122.141.235.0-122.141.235.255 -j DROP |
| | 68 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 119.188.15.0-119.188.15.255 -j DROP |
| | 69 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 124.95.156.0-124.95.156.255 -j DROP |
| | 70 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 221.204.176.0-221.204.176.255 -j DROP |
| | 71 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 61.54.24.0-61.54.24.255 -j DROP |
| | 72 | ##-A RH-Firewall-1-INPUT -m iprange --src-range 218.26.232.0-218.26.232.255 -j DROP |
| | 73 | -A RH-Firewall-1-INPUT -s 1.12.0.0/16 -j DROP |
| | 74 | -A RH-Firewall-1-INPUT -p esp -j ACCEPT |
| | 75 | -A RH-Firewall-1-INPUT -p ah -j ACCEPT |
| | 76 | -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT |
| | 77 | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT |
| | 78 | -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT |
| | 79 | -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT |
| | 80 | -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
| | 81 | -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 55000 --tcp-flags SYN,RST,ACK SYN -j ACCEPT |
| | 82 | -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT |
| | 83 | -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT |
| | 84 | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT |
| | 85 | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5434 -j ACCEPT |
| | 86 | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT |
| | 87 | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5001 -j ACCEPT |
| | 88 | -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 5001 -j ACCEPT |
| | 89 | -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 55000 -j ACCEPT |
| | 90 | -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 5222 -j ACCEPT |
| | 91 | -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 8080 -j ACCEPT |
| | 92 | -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT |
| | 93 | -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited |
| | 94 | COMMIT |
| | 95 | }}} |
| | 96 | |
| | 97 | |
