Are the following two iptables rules equivalent?

Question

There are articles such as this which suggest something of the form of these iptables rules to block too many SSH connections made in a short time:

-I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
-I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j DROP

According to the article, "[these rules] will block an IP if it attempts more than 3 new connections per minute to SSH."

If iptables' INPUT chain is configured to a default policy of DROP, will the following rule perform equivalently as the previously shown rules?

-I INPUT -p tcp --dport 22 -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 1 -j ACCEPT

For those who look at the first two rules here, note that the second rule should be using `--rcheck`, otherwise, the `--set` and the `--update` do an update of the recent list and that means you get your counter incremented by 2 when the `--update` is "true" (i.e. once you have 4 hits, you get +2 each time a packet goes through.) — Alexis Wilke, Nov 14 '22 at 19:55

score 2 · Answer 1 · edited Apr 13 '17 at 12:14

2

The iptables module: limit and recent can be equivalent in some cases including the case you have at hand.

Here is a similar post on serverfault.

edited Apr 13 '17 at 12:14

Community

1

answered Mar 02 '17 at 10:02

Khaled

36,533
8
72
99

Are the following two iptables rules equivalent?

1 Answers1