iptables connlimit-mark question

kenw232 · 10-15-2023, 10:56 AM

I've been doing this to rate limit Amazon connections to my server. My question is, is this correct?

Code:

/usr/sbin/iptables -I INPUT -p tcp --syn --dport 443 -s 3.238.56.0/24 -m connlimit --connlimit-above 3 --connlimit-mask 32 -j LOG_REJECT

The concern is the source of 3.238.56.0/24 where I am trying to include all IP addresses between 3.238.56.0 and 3.238.56.255. Is this correct considering the connlimit-mask of 32 is still there? Am I going to get my expected result of throttling all hits from 3.238.56.0/24 to be less then 3 no matter what?

Person_1873 · 10-19-2023, 03:18 AM

the connlimit mask calculates how many addresses surrounding the current address are added to the filter after the connection attemps.
a mask of 32, means that only that single IP gets added to the reject list
Otherwise you end up adding multiple IP's to the reject list even though those IP's weren't spamming you.

Personally i'd be using Fail2Ban as it has functionality to automatically unban after a timeout and is designed for this task.

kenw232 · 10-19-2023, 06:05 PM

Right, but again, what is the point of the netmask? 3.238.56.0/24? I should not be doing a /24 then? is it ignored? If I'm using a connlimit-mask 32, then what single IP is being blocked if my source is 3.238.56.0/24? All 255 "single" IPs?

Person_1873 · 10-19-2023, 11:18 PM

The point of the netmask is to limit the range of addresses that could be rate limited.
The connlimit mask dictates how many addresses are added to the ban list each time the rule is triggered

Person_1873 · 10-19-2023, 11:22 PM

With a netmask of 3.238.56.0/24 and a connlimit-mask of 32.

If 3.238.56.5 attempts to connect 3 times or more, then 3.238.56.5 gets added to the reject list.
But if 3.238.57.5 did the same thing then nothing would happen, this rule won't trigger.

kenw232 · 10-20-2023, 08:21 AM

I see, so with 3.238.56.0/24 it is obviously checking for 3.238.56.*. But when it does find something in 3.238.56.* then only that single IP address that is found is blocked.

Person_1873 · 10-20-2023, 11:11 PM

That's correct.
subnetting is a whole skillset in it's self & is worth looking into