Ratelimit rules.

diff --git a/ratelimit-with_connlimit/iptables-rules.v4 b/ratelimit-with_connlimit/iptables-rules.v4
new file mode 100644 (file)
index 0000000..263f525
--- /dev/null
+++ b/ratelimit-with_connlimit/iptables-rules.v4
@@ -0,0 +1,14 @@
+# Limit maximum number of simultaneous connections to 20. Block any excess
+# connections over 20. If it'll try to establish more connections (over 20
+# connections limit) more, than 30 times in 60s, drop any new connections from
+# that IP for 10min. if it'll try to establish new connections until timer
+# expires, reset timer to 10min at each attempt.
+
+-A RATELIMIT_DROP -m recent --update --seconds 600 --name ratelimit_drop --rsource -j DROP
+
+-A CONNLIMIT -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
+-A CONNLIMIT -j RATELIMIT_DROP
+-A CONNLIMIT -m connlimit --connlimit-upto 20 -j RETURN
+-A CONNLIMIT -m recent --set --name connlimit_over --rsource
+-A CONNLIMIT -m recent --rcheck --seconds 60 --hitcount 30 --name connlimit_over -m recent --set --name ratelimit_drop --rsource
+-A CONNLIMIT -j DROP

diff --git a/ratelimit/iptables-rules.v4 b/ratelimit/iptables-rules.v4
new file mode 100644 (file)
index 0000000..0533d8d
--- /dev/null
+++ b/ratelimit/iptables-rules.v4
@@ -0,0 +1,7 @@
+# Limit new connections speed to no more, than 210 in 30s. If it'll go faster,
+# block an IP for 10min. If it tries to establish new connections until 10min
+# timer expires, reset timer to 10min.
+-A RATELIMIT -m state --state NEW -m recent --set --name ratelimit --rsource
+-A RATELIMIT -m recent --rcheck --seconds 600 --name ratelimit_drop --rsource -m limit --limit 10/min --limit-burst 10 -j LOG --log-prefix "ipt: in ratelimit drop: " --log-tcp-options --log-ip-options
+-A RATELIMIT -m recent --update --seconds 600 --name ratelimit_drop --rsource -j DROP
+-A RATELIMIT -m recent --rcheck --seconds 30 --hitcount 210 --name ratelimit --rsource -m recent --set --name ratelimit_drop --rsource -j DROP