Does anyone know if there is a connlimit module that can be used for ip6tables?
Please let me know.
Thanks,
Kenneth
Yes, here it is (it may need a kernel patch):
ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit
--connlimit-above 16 --connlimit-mask 64 -j REJECT
Related
I need an linux firewall rule that will accomplish the following: iptables –A INPUT rule that will accept any packet that comes in over ports 43,53 or 67.
I am new to this. Do you have to have -p "protocol" before --dport 43,53,67 or can you take out the -p "protocol" and just have the --dport 43,53,67. How would you have accept any packet that could come over multiple protocols?
You have to use it for all protocols you want to allow
iptables -A INPUT -p tcp -m multiport --dports 43,53,67 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 43,53,67 -j ACCEPT
--dport is not a flag for general iptables rules. It's a flag for one of it's extended packet matching modules. These are loaded when you use -p protocol or -m. Unless you specify -m <protocol> or -p <protocol> with a specific protocol you can't use --dport
Here is the rule set :
#!/bin/sh
iptables-restore -v<<END
# Generated by iptables-save v1.4.21 on Mon Sep 22 17:45:30 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [2:441]
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p tcp --sport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -j LOG
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -j LOG
COMMIT
# Completed on Mon Sep 22 17:45:30 2014
END
gives :
# Generated by iptables-save v1.4.21 on Mon Sep 22 17:45:30 2014
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
# Completed on Mon Sep 22 17:45:30 2014
dropping anything iptables with iptables and still can chat on IRC. why ?
Any ideas ?
thorsten#thorstysPC ~ $ lsmod | grep ipt
iptable_filter 12810 1
ip_tables 27239 1 iptable_filter
x_tables 34059 4 ip_tables,xt_tcpudp,xt_LOG,iptable_filter
thorsten#thorstysPC ~ $
This is the list of modules. Looks like IPtables is online.
Can anyone check these on his own box ?
Edit
I misunderstood the question. That's why I deleted the original answer's text but will keep the answer unless the problem is solved because there is still an open discussion below. If it can't be solved, I'll delete this answer.
I'm using RHEL or CentOS. I just want to know how to limit the concurrent/simultaneous connection counts.
Lets say:
I have a Media Streaming Server
(According to the Server Performance) I want my Server to be strictly serving to only 100 Viewers at a time. (Only 100 Viewers can be Viewing/ Downloading from my Server)
Is it possible and how to do it please?
Check out the iptables rate limiting feature:
http://codingfreak.blogspot.com/2010/01/iptables-rate-limit-incoming.html
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --hitcount 50 -j DROP
I tried this solution:
iptables -I OUTPUT -p tcp --dport 2195 -j ACCEPT
/etc/init.d/iptables stop
/etc/init.d/iptables start
but still can't access the port.
If there are more ports that I have to open for APNS let me know.
How about:
iptables -A INPUT -p tcp --dport 2195 -j ACCEPT
service iptables restart
This may help too.
It didn't work for me completely, since my last rule was DROP ALL which basically negated all I added to iptables after.
It might be useful to use the -I switch:
iptables -I INPUT 1 -p tcp --dport 2195 -j ACCEPT
The INPUT 1 - means 1st Input rule instead of appending, to put rule in front of drop all
See my anwser here: https://stackoverflow.com/a/25229943/1472048
For CentOS 7, you should use "firewall-cmd" command like so:
firewall-cmd --add-port=2195/tcp --permanent
iptables is not recommended if you use the firewalld service.
Try the following command, it worked for me:
$ sudo iptables -A INPUT -p tcp --jport 2195 -j ACCEPT
$ sudo /etc/init.d/iptables save
I have an application listening at port 27015. I want to allow all ips with client port 27005 and drop the rest. How do I go about this ?
This page shows some good examples of iptables.
http://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html
So, something like this should do it:
iptables -A INPUT -p tcp --sport 27005 --dport 27015 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
Little late but here is what I would do
iptables -A INPUT -p tcp --dport 27005 -j ACCEPT
iptables -A INPUT -j DROP
service iptables save
service iptables restart