From b4365c7445e90ed1e08760456f203bf20fcf2ff5 Mon Sep 17 00:00:00 2001
From: sgf <sgf.dma@gmail.com>
Date: Wed, 9 Nov 2022 14:04:45 +0300
Subject: [PATCH] Ratelimit rules.

---
 ratelimit-with_connlimit/iptables-rules.v4 | 14 ++++++++++++++
 ratelimit/iptables-rules.v4                |  7 +++++++
 2 files changed, 21 insertions(+)
 create mode 100644 ratelimit-with_connlimit/iptables-rules.v4
 create mode 100644 ratelimit/iptables-rules.v4

diff --git a/ratelimit-with_connlimit/iptables-rules.v4 b/ratelimit-with_connlimit/iptables-rules.v4
new file mode 100644
index 0000000..263f525
--- /dev/null
+++ b/ratelimit-with_connlimit/iptables-rules.v4
@@ -0,0 +1,14 @@
+# Limit maximum number of simultaneous connections to 20. Block any excess
+# connections over 20. If it'll try to establish more connections (over 20
+# connections limit) more, than 30 times in 60s, drop any new connections from
+# that IP for 10min. if it'll try to establish new connections until timer
+# expires, reset timer to 10min at each attempt.
+
+-A RATELIMIT_DROP -m recent --update --seconds 600 --name ratelimit_drop --rsource -j DROP
+
+-A CONNLIMIT -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
+-A CONNLIMIT -j RATELIMIT_DROP
+-A CONNLIMIT -m connlimit --connlimit-upto 20 -j RETURN
+-A CONNLIMIT -m recent --set --name connlimit_over --rsource
+-A CONNLIMIT -m recent --rcheck --seconds 60 --hitcount 30 --name connlimit_over -m recent --set --name ratelimit_drop --rsource
+-A CONNLIMIT -j DROP
diff --git a/ratelimit/iptables-rules.v4 b/ratelimit/iptables-rules.v4
new file mode 100644
index 0000000..0533d8d
--- /dev/null
+++ b/ratelimit/iptables-rules.v4
@@ -0,0 +1,7 @@
+# Limit new connections speed to no more, than 210 in 30s. If it'll go faster,
+# block an IP for 10min. If it tries to establish new connections until 10min
+# timer expires, reset timer to 10min.
+-A RATELIMIT -m state --state NEW -m recent --set --name ratelimit --rsource
+-A RATELIMIT -m recent --rcheck --seconds 600 --name ratelimit_drop --rsource -m limit --limit 10/min --limit-burst 10 -j LOG --log-prefix "ipt: in ratelimit drop: " --log-tcp-options --log-ip-options
+-A RATELIMIT -m recent --update --seconds 600 --name ratelimit_drop --rsource -j DROP
+-A RATELIMIT -m recent --rcheck --seconds 30 --hitcount 210 --name ratelimit --rsource -m recent --set --name ratelimit_drop --rsource -j DROP
-- 
2.20.1