Hardening iptables with limit rates

How to offload the hard work of blocking brute force to iptables.

Rate limiting applied at the lowest layer you possibly have access to. Note: these are examples only, not a full configuration.

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]

### add your usual safety tricks here ###
### don't forget to allow established and related connections
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT

### rate limit examples:
# SSH
# be careful with this one, seriously slows SCP down
-A INPUT -m tcp -p tcp --dport 22 -m state --state NEW -m limit --limit 4/s --limit-burst 4 -j ACCEPT

# webserver
-A INPUT -m tcp -p tcp --dport 80 -m state --state NEW -m limit --limit 128/s --limit-burst 128 -j ACCEPT

COMMIT


Encourage creation!

If this entry helped you, or you simply liked it, leave a tip.