Knowledgebase
iptables connlimit not working as expected
Posted by kenw232, 01-10-2013, 02:48 PM | Hello. I am trying to limit connections from subnets to just one connection for port 25. x.x.x is my server IP. No matter what I always get 2 (max) connections from these subnets, I only want 1 max connection from them. Why does this happen?
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 25 -s 157.55.0.0/16 -m connlimit --connlimit-above 1 -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 25 -s 157.56.0.0/16 -m connlimit --connlimit-above 1 -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 25 -s 65.55.0.0/16 -m connlimit --connlimit-above 1 -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 25 ! -s x.x.x.0/24 -m connlimit ! --connlimit-above 1 -j ACCEPT
But:
19008 root sendmail: accepting connections
30689 root \_ sendmail: r0AIfqoe030689 tx2outboundsmtppool2.messaging.microsoft.com [65.55.83.132]: DATA
30703 root \_ sendmail: r0AIfvK4030703 tx2outboundsmtppool1.messaging.microsoft.com [65.55.83.131]: DATA
30818 root \_ sendmail: r0AIgQQG030818 co9outboundsmtppool2.messaging.microsoft.com [157.56.73.194]: DATA
30832 root \_ sendmail: r0AIgVCN030832 co9outboundsmtppool1.messaging.microsoft.com [157.56.73.193]: DATA
Or even netstat:
server(/etc/rc.d): netstat -an | grep 157.56
tcp 0 0 x.x.x.162:25 157.56.73.194:21776 ESTABLISHED
tcp 0 0 x.x.x.162:25 157.56.73.193:36564 ESTABLISHED
|
Posted by TQ Mark, 01-10-2013, 03:18 PM | Although you are specifying source range of the block such as 65.55.0.0/16 so that the rule only applies to that range, the /16 subnetmask isn't applied to the connlimit itself so connection limiting is still per individual IP address.
you need to add "--connlimit-mask ", such as:
Try that out
|
Posted by kenw232, 01-10-2013, 05:47 PM | Great thanks. I added that but the flood is over so I don't know if it works. I'll find out eventually. Thanks.
|
|
Add to Favourites
Print this Article |
Also Read