Add connection-limiting per-IP example

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3040 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-08 16:54:10 +01:00 · 2005-11-20 21:23:05 +00:00 · 2005-11-20 21:23:05 +00:00 · 16d7c6da44
commit 16d7c6da44
parent a70b5432ff
2 changed files with 42 additions and 2 deletions
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@ -476,7 +476,8 @@
    </listitem>

    <listitem>
-      <para><ulink url="PortKnocking.html">Port Knocking</ulink></para>
+      <para><ulink url="PortKnocking.html">Port Knocking and Other Uses of the
+      'Recent Match'</ulink></para>
    </listitem>

    <listitem>
--- a/Shorewall-docs2/PortKnocking.xml
+++ b/Shorewall-docs2/PortKnocking.xml
@ -5,7 +5,7 @@
  <!--$Id$-->

  <articleinfo>
-    <title>Port Knocking</title>
+    <title>Port Knocking and Other Uses of 'Recent Match' </title>

    <authorgroup>
      <author>
@ -127,4 +127,43 @@ SSHKnock         net               loc:192.168.1.5 tcp         22            -
      </listitem>
    </orderedlist>
  </section>
+
+  <section>
+    <title>Limiting Per-IP Connection Rate</title>
+
+    <para>Suppose that you wish to limit the number of connections to port 22
+    to 3/minute from internet host.</para>
+
+    <orderedlist>
+      <listitem>
+        <para>Add an action named SSHLimit (see the <ulink
+        url="Actions.html">Action documentation</ulink>). Leave the
+        <filename>action.SSHLimit</filename> file empty.</para>
+      </listitem>
+
+      <listitem>
+        <para>Create /etc/shorewall/SSLimit with the following
+        contents:</para>
+
+        <programlisting>run_iptables -A $CHAIN -m recent --name SSHA --set
+if [ -n "$LEVEL" ]; then
+    log_rule_limit $LEVEL $CHAIN SSHLimit REJECT "" "$TAG" -A -m recent --name SSHA --seconds 60 --hitcount 3
+fi
+run_iptables -A $CHAIN -m recent --name SSHA --seconds 60 --hitcount 3 -j reject</programlisting>
+      </listitem>
+
+      <listitem>
+        <para>Add this rule to /etc/shorewall/rules:</para>
+
+        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+SSHLimit         net               all            tcp         22</programlisting>
+
+        <para>If you wish to log the rejects at the 'info' level then use this
+        rule instead:</para>
+
+        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+SSHLimit:info    net               all            tcp         22</programlisting>
+      </listitem>
+    </orderedlist>
+  </section>
 </article>