1

I want to limit the number of TCP connections in Linux server, I have used the following command.

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 25 --connlimit-mask 32 -j REJECT --reject-with tcp-reset

It seems like, something is wrong and desired results are not coming. I get the number of active connections using the following command

netstat -n | grep ':80' | awk -F' ' '{print $5}' | awk -F':' '{print$1}' | sort | uniq -c | sort -n

Now, When I type the above command, I get the following results.

44 122.179.103.8
45 107.167.107.123
46 120.60.76.201
48 122.162.172.182
49 183.87.48.105
51 122.161.241.33
71 198.72.112.97
98 122.168.167.114
103 122.177.169.21
134 106.51.130.193
137 122.165.226.196

As you can see there are more active tcp connections than allowed limit of 25. Can someone please help me with correct command , or What is going wrong in this ?

HBruijn
  • 77,029
  • 24
  • 135
  • 201
Mani
  • 215
  • 3
  • 9
  • 1
    Its not the good way to do it. You should configure better your webserver. As your way will lead to bad user experience, as they will get connection problem with your site – yagmoth555 Dec 08 '14 at 11:16
  • 1
    Please, when asking a question about iptables, add the output from the following command: `iptables -L -v -n` – HBruijn Dec 08 '14 at 11:35
  • @yagmoth555 It's still a valid question, though. It might be a good idea to configure the webserver to send HTTP 503 at 20 connections per client, and also reject at 25 connections at the kernel level for stronger defense. – 200_success Dec 08 '14 at 11:36
  • I asked the same question in SO, and they sent me here. Someone down voted this question, I wonder why ? – Mani Dec 08 '14 at 12:16
  • 1
    @Mani At a guess it was a, *this is the wrong way to attack this problem* downvote. – sysadmin1138 Dec 08 '14 at 12:33
  • Are you sure about the netstat command? Probably you should grep for ESTABLISHED. Otherwise you will count things like TIME_WAIT entries, too. –  Dec 08 '14 at 17:32
  • Also, with no context, like the whole list, we can't see if you've allowed the traffic first and then attempted to rate limit, which would produce the same effect as not rate limiting at all.. – Grizly Dec 08 '14 at 20:49
  • I think, even the time_wait will be counted in # of connections. – Mani Dec 09 '14 at 04:50

3 Answers3

0

There are 11 different states for a TCP connection and your iptables rule will limit the "SYN" state which is the right state for limiting TCP connections; but when you use "netstat" command, it will show you all the states that a connection went through. My point is that you did it right but you are checking it wrong. Pipe netstat command with your desire state which is "ESTABLISHED":

netstat -n | grep ESTABLISHED | grep ':80' | awk -F' ' '{print $5}' | awk -F':' '{print$1}' | sort | uniq -c | sort -n

Just a tip: you can use "netstat -ntp" to get only TCP connections.

Also check this, I think it's usefull.

Just for extra info; TCP connection states:

LISTEN: accepting connections

ESTABLISHED: connection up and passing data

SYN_SENT: session has been requested by us; waiting for reply from remote endpoint

SYN_RECV: session has been requested by a remote endpoint for a socket on which we were listening

LAST_ACK: our socket is closed; remote endpoint has also shut down; we are waiting for a final acknowledgement

CLOSE_WAIT: remote endpoint has shut down; the kernel is waiting for the application to close the socket

TIME_WAIT: socket is waiting after closing for any packets left on the network

CLOSED: socket is not being used

CLOSING: our socket is shut down; remote endpoint is shut down; not all data has been sent

FIN_WAIT1: our socket has closed; we are in the process of tearing down the connection

FIN_WAIT2: the connection has been closed; our socket is waiting for the remote endpoint to shut down

RoohAllah Godazgar
  • 11
  • 3
0

below is a suggestion to restrict the amount of allowed TCP connection "per sockets" (understand: per software listening more or less) directly fom the Linux kernel parameters (sysctl).

Note 1 This will reduce your "server bandwidth" in terms of sockets:

  • On one side, this will protect your server, as it will use "less system resources" to handle simultaneous network requests.
  • On the other side, your applications (I.e Webserver) will be more subject to DOS attacks, as "packets" will be dropped more "easily".

So choose wisely: if you want to save CPU, then make the parameters lower. If you want to be more resilient to DDOS, then make the parameters higher.

Note 2. For protecting against attacks. You should probably better consider installing an intrusion prevention software framework like fail2ban (which will automatically ban some IP addresses on given conditions).

  1. Open Terminal and login as root.Type the following command to backup the current sysctl.conf configuration file:

    cp /etc/sysctl.conf /etc/sysctl.conf.bak

  2. Edit the sysctl.conf configuration file using a text editor like nano or vi:

    nano /etc/sysctl.conf

  3. Add the following lines to the end of the file: (These parameters set the maximum number of SYN requests that can be queued, and the maximum number of simultaneous connections that can be established for any given socket.)

    # Limit the number of TCP connections

    net.ipv4.tcp_max_syn_backlog = 128

    net.core.somaxconn = 128

  4. Save and close the file. Then, Apply the changes by running the following command:

    sysctl -p

Note 3. The above settings are just an example. You should adjust them based on your system's hardware resources and the application requirements to prevent networking issues such as dropped packets and long response times.

Hope it helps.

petitradisgris
  • 146
  • 5
0

Please see there; https://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable

Your line seem to limit to 25 the number per IP.

Community
  • 1
yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Thanks for your response, In fact I modified or did this task based on the thread link given by you. My problem is: It is not working. Or how do i verify that, It is working. – Mani Dec 09 '14 at 04:51
  • @mani someone can correct me, but the rule, with syn, block 25 connection attemps, but when the connection is done, its no longer syn attempt.. you see my point? – yagmoth555 Dec 09 '14 at 12:30