From: sgf <sgf.dma@gmail.com>
Date: Fri, 10 Nov 2023 15:44:52 +0000 (+0300)
Subject: Ratelimit with connlimit for icmp.
X-Git-Url: https://gitweb.sgf-dma.tk/?a=commitdiff_plain;p=iptables.git

Ratelimit with connlimit for icmp.
---

diff --git a/ratelimit-with_connlimit/iptables-rules-v2.v4 b/ratelimit-with_connlimit/iptables-rules-v2.v4
new file mode 100644
index 0000000..7837eb0
--- /dev/null
+++ b/ratelimit-with_connlimit/iptables-rules-v2.v4
@@ -0,0 +1,26 @@
+-A INPUT -p icmp -m icmp --icmp-type 8 -j CONNLIMIT_ICMP
+-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+
+# Update last-seen timestamp and drop, if packet was seen within last 10 mins.
+-A RATELIMIT_DROP -m recent --update --seconds 600 --name ratelimit_drop --rsource -j DROP
+
+# Limit the overall speed to no more, than roughly 1 packet/second per connection.
+# Limit the number of simultaneous connections to no more, than 2.
+# Note, that previous icmp connection entry remains in conntrack for 30 seconds.
+# Thus, effectively i can't establish a new connection more, than 2 times per 30 second.
+
+# Count every packet, because i need to control rate in established connections too.
+-A CONNLIMIT_ICMP -m recent --set --name ratelimit_icmp --rsource
+# Violating limits will block both established and new connections.
+-A CONNLIMIT_ICMP -j RATELIMIT_DROP
+# Rates for 1 and 2 connections respectively.
+-A CONNLIMIT_ICMP -m connlimit --connlimit-upto 1 -m recent --rcheck --seconds 10 --hitcount 13 --name ratelimit_icmp --rsource -m recent --set --name ratelimit_drop2 --rsource -j DROP
+-A CONNLIMIT_ICMP -m connlimit --connlimit-upto 2 -m recent --rcheck --seconds 10 --hitcount 26 --name ratelimit_icmp --rsource -m recent --set --name ratelimit_drop2 --rsource -j DROP
+# I don't need to check packets from established connections against connection limit, because they do not start a new connection.
+-A CONNLIMIT_ICMP -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
+-A CONNLIMIT_ICMP -m connlimit --connlimit-upto 2 --connlimit-mask 32 --connlimit-saddr -j RETURN
+-A CONNLIMIT_ICMP -m recent --set --name connlimit_icmp_over --rsource
+# No more, than 10 (during 1min) connection limit violations are allowed.
+-A CONNLIMIT_ICMP -m recent --rcheck --seconds 60 --hitcount 10 --name connlimit_icmp_over --rsource -m recent --set --name ratelimit_drop2 --rsource
+# Drop attempts to create connections above limit.
+-A CONNLIMIT_ICMP -j DROP