Table of Contents
Advertisement
5. Configuring Software Environment
(c) Setting the port permitted for reception with a limitation
1. Run the following command to permit reception on a port with a given port number while the number of
connections that can be established per minute is limited.
Note
Before running the command, you must delete the existing reception permission, if any.
$ sudo iptables -A INPUT -m state --state NEW -m hashlimit --hashlimit-htable-ex
pire 60000 \
--hashlimit-name hasht_port-number --hashlimit time/m --hashlimit-burst number-
of-connections \
-p protocol:tcp|udp --dport port-number -j ACCEPT
Example: Specify as follows to permit a maximum of 10 times of data reception per minute on the SSH server
port (22/tcp).
$ sudo iptables -A INPUT -m state --state NEW -m hashlimit --hashlimit-htable-expir
e 60000 \
--hashlimit-name hasht_22 --hashlimit 1/m --hashlimit-burst 10 \
-p tcp --dport 22 -j ACCEPT
2. Run the following command to cancel the reception permission that has been set.
$ sudo iptables -D INPUT -m state --state NEW -m hashlimit --hashlimit-htable-expir
e 60000 \
--hashlimit-name hasht_port-number --hashlimit time/m --hashlimit-burst limitation
-count \
-p protocol:tcp|udp --dport port-number -j ACCEPT
Example: Specify as follows to cancel the reception permission for the HTTP server port (22/tcp).
$ sudo iptables -D INPUT -m state --state NEW -m hashlimit --hashlimit-htable-expir
e 60000 \
--hashlimit-name hasht_22 --hashlimit 1/m --hashlimit-burst 10 \
-p tcp --dport 22 -j ACCEPT
(d) Confirming the set rules
1. Run the following command to confirm the firewall rules that have been set.
$ sudo iptables -L
The following shows a display example of the default rule settings.
Chain INPUT (policy DROP)
target
prot opt source
ACCEPT
icmp --
ACCEPT
all
ACCEPT
all
SHED
ACCEPT
tcp
o 1/min burst 10 tcp dpt:ssh
Chain FORWARD (policy DROP)
target
prot opt source
Chain OUTPUT (policy DROP)
target
prot opt source
ACCEPT
all
SHED
ACCEPT
icmp --
ACCEPT
udp
ACCEPT
tcp
ACCEPT
tcp
ACCEPT
tcp
ACCEPT
tcp
(e) Saving the rules
1. Save the firewall rules that have been set.
To apply the settings (even after the OS is restarted), run the following command.
70
anywhere
--
anywhere
--
anywhere
--
anywhere
--
anywhere
anywhere
--
anywhere
--
anywhere
--
anywhere
--
anywhere
--
anywhere
destination
anywhere
anywhere
anywhere
state RELATED,ESTABLI
anywhere
state NEW limit: up t
destination
destination
anywhere
state RELATED,ESTABLI
anywhere
anywhere
udp dpt:domain
anywhere
tcp dpt:ssh
anywhere
tcp dpt:http
anywhere
tcp dpt:ntp
anywhere
tcp dpt:https
Advertisement
Table of Contents
Troubleshooting
