3

I'm having quite a difficult time figuring out how to REJECT both inbound and outbound connections from a machine with iptables once the total number of TCP connections hits a global maximum without respect to source or destination port. All sources/destinations/ports must be included.

Is this possible with iptables?

Gordon Morehouse
  • 43
  • 1
  • 6

2 Answers2

6
iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above <your limit number> --connlimit-mask 0 -j DROP
iptables -A OUTPUT -p tcp --syn -m connlimit --connlimit-above <your limit number> --connlimit-mask 0 -j DROP
MadHatter
  • 79,770
  • 20
  • 184
  • 232
Wutiphong
  • 109
  • 3
  • Thank you! I may have an opportunity to test this tonight and if it works well, I'll accept the answer! :) – Gordon Morehouse Oct 21 '13 at 14:59
  • Works a treat, and (as should be obvious from the above) with iptables you can limit the total number of connections allowed in ANY chain, including input, output, and custom ones. – Gordon Morehouse Nov 04 '13 at 21:31
4

you can do it using iptables module "connlimit"

/sbin/iptables -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above N -j REJECT --reject-with tcp-reset

example:

/sbin/iptables  -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Farhan
  • 4,269
  • 11
  • 49
  • 80
  • I'm looking for an absolute global limit, though, for the entire machine - not just a single port. – Gordon Morehouse Sep 18 '13 at 16:40
  • `--reject-with` is only port 113 I guess? Also it's probably best [not to reject](https://man.archlinux.org/man/iptables-extensions.8.en#REJECT_(IPv4-specific)) INVALID packets? – x-yuri Aug 06 '23 at 13:42
  • By the way, doesn't your answer lack `--connlimit-mask 0` to limit the total number of connections? – x-yuri Aug 08 '23 at 11:52