Questo contenuto non è disponibile nella lingua selezionata.
6.7. Using nftables to limit the amount of connections
You can use
nftables
to limit the number of connections or to block IP addresses that attempt to establish a given amount of connections to prevent them from using too many system resources.
6.7.1. Limiting the number of connections using nftables
The
ct count
parameter of the nft
utility enables administrators to limit the number of connections. The procedure describes a basic example of how to limit incoming connections.
Prerequisites
- The base example_chain in example_table exists.
Procedure 6.19. Limiting the number of connections using nftables
- Add a rule that allows only two simultaneous connections to the
SSH
port (22
) from an IPv4 address and rejects all further connections from the same IP:# nft add rule ip example_table example_chain tcp dport ssh meter example_meter { ip saddr ct count over 2 } counter reject
- Optionally, display the meter created in the previous step:
# nft list meter ip example_table example_meter table ip example_table { meter example_meter { type ipv4_addr size 65535 elements = { 192.0.2.1 : ct count over 2 , 192.0.2.2 : ct count over 2 } } }
Theelements
entry displays addresses that currently match the rule. In this example,elements
lists IP addresses that have active connections to the SSH port. Note that the output does not display the number of active connections or if connections were rejected.
6.7.2. Blocking IP addresses that attempt more than ten new incoming TCP connections within one minute
The
nftables
framework enables administrators to dynamically update sets. This section explains how you use this feature to temporarily block hosts that are establishing more than ten IPv4 TCP connections within one minute. After five minutes, nftables
automatically removes the IP address from the deny list.
Procedure 6.20. Blocking IP addresses that attempt more than ten new incoming TCP connections within one minute
- Create the filter table with the ip address family:
# nft add table ip filter
- Add the input chain to the filter table:
# nft add chain ip filter input { type filter hook input priority 0 \; }
- Add a set named denylist to the filter table:
# nft add set ip filter denylist { type ipv4_addr \; flags dynamic, timeout \; timeout 5m \; }
This command creates a dynamic set for IPv4 addresses. Thetimeout 5m
parameter defines thatnftables
automatically removes entries after 5 minutes from the set. - Add a rule that automatically adds the source IP address of hosts that attempt to establish more than ten new TCP connections within one minute to the
denylist
set:# nft add rule ip filter input ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr }
- Add a rule that drops all connections from IP addresses in the
denylist
set:# nft add rule ip filter input ip saddr @denylist drop
6.7.3. Additional resources
- For more information, see Section 6.4.2, “Using named sets in nftables”