There is a limit module in iptables that allow us to limit connection to a particular port/service . Suppose you want maximum 2 connections of SSH in a particular minute . Following rules should work
In above rules, Only 2 connection request packets in a minute. In simple words only two connections of ssh allowed to the system in a minute. But even after applying above rule , I was able to make more than two connection to ssh within a minute.
So what went wrong ?
Here we missed limit-burst parameter . The default value of this parameter is 5 , so if you not specify this it will take 5 . In our above given example 5 syn packets are allowed in a minute. So the first rule should be like following
iptables -I INPUT -p tcp –dport 22 –syn -m limit –limit 2/Min –limit-burst 2 -j ACCEPT
The default burst is 5 , that means for the first 5 packets, above rule apply. You applied condition that 2 syn packets in a minute will be allowed, but what will happen for other packets in that burst?.
SO its clear that here we have to specify limit-burst as 2 . So that burst not keep 5 packets and allow refilling of bucket after unit time that is 1 Minute.
Let us understand this concept in detail. Limit match is basically a token bucket filter. The packets that match the rule use token. limit-burst option tell the size of bucket , If you specify limit-burst as 2 that means there will be 2 token in the bucket. Now since there is only two tokens in the bucket , and suppose you receive 5 syn packet on port 22 in a minute . First syn packet will occupy 1st token and 2nd Syn packet will occupy last token (since only two token are there) . All token occupied so bucket become empty.
What will happen to rest of packets?
Since no more tokens are left so they will pass to next rule in the chain, in our example next rule is drop those packets.
Now the questions arises here,
when bucket will refilled with new tokens ?
The answer is depend on the value of –limit parameter. In our example –limit 2/min so bucket refilled with 2 new tokens on every minute.