iptables -A FORWARD -p tcp ––syn -s 192.168.1.34 ––dport ! 80 -m connlimit ––connlimit-above 5 -j DROP
Let’s take this word-by-word and explain what this rule means:
This is the action we want to perform. It may be
-Afor append (add),
-Lfor list, and some other ones I’ll let the man-page explain.
This is the chain we want to perform the action upon. What’s a chain? It’s a path packets travel inside your computer / router. There are at least two:
INPUTfor packets entering,
OUTPUTfor packets going out. The
FORWARDchain is present if you use NAT / Port Forwarding.
This is the protocol we filter packets by. Most of the time, it will be
TCP. However, there are other protocols, like
This means we want to catch packets with the
SYN/ACKflag. In more accessible language, these packets are used to initiate connections. So if you may block them to secure your system!
iptablesto act upon packets with the source (
-s) or destination (
-d) specified. For ways to specify entire blocks / ranges of addresses, see the man-page.
––dport ! 80
This instructs the program to set up this rule for packets traveling on all ports, except
80(which is for WWW). A nice way to use
!-s like in C, huh?
-m connlimit ––connlimit-above 5
iptablesto match (
-m) packets using the
connlimitmodule. Further, we use a switch particular to
connlimit, instructing it to match all packets beyond the limit of 5 connections.
iptableswhat to do with the packets we spent so much valuable time collecting. Amongst the possible actions are
ACCEPTto pass the packets along and
DROPto get rid of them silently. There are others, check the man-page.
So what have we achieved? For all ports except
80, we limit the number of connections to 5. Peer-to-peer network users won’t be too happy :evil: Web browsing will continue to be fast, as we don’t touch any port-80 packet. Pretty nice for a one-line command, isn’t it?
But the fun isn’t over yet! Here’s how to list the rules:
The Keep-It-Simple-Stupid (minimal) version.
iptables -L -v
You also get to know how many packets / bytes has each rule matched.
iptables -L -v ––line-number
Each rule is preceded by its number (you’ll see why this matters in a moment).
There’s something funny about how these long switches are implemented, because even this works:
iptables -L -v ––lin
––lininstead of the awkward
If you don’t specify a chain after the command, it lists the rules for all chains. Now, how to delete a rule? Simple:
iptables -D FORWARD 9
Means delete (
-D) rule #9 on the
FORWARDchain. See where the line-numbers come in?
iptables -F INPUT
INPUTchain. Delete all rules pertaining to it.
- (see the man-page for more)