marcelomnzs
Active Member
- Joined
- Aug 9, 2019
- Messages
- 131
- Reaction score
- 27
fail2ban
is just to protect SSH.
To limit connections per IP to ports 7171-7172 you got to run some extraiptables
:
Comments what does what are in polish, but it should translate them easily in Google Translate. Packets per second for 12+ client should be around 500.Bash:# 5 polaczen naraz na 1 IP iptables -A INPUT -p tcp --syn --dport 7171:7172 -m connlimit --connlimit-above 5 --connlimit-mask 32 -j REJECT --reject-with tcp-reset # 10 nowych polaczen na minute na 1 IP iptables -A INPUT -p tcp --dport 7171:7172 -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-above 10/min --hashlimit-burst 10 --hashlimit-name conn_7171_rate_min -j REJECT --reject-with tcp-reset # 2 nowe polaczenia na sekunde na 1 IP iptables -A INPUT -p tcp --dport 7171:7172 -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-above 2/sec --hashlimit-burst 2 --hashlimit-name conn_7171_rate_sec -j REJECT --reject-with tcp-reset # 150 pakietow przychodzacych na sekunde na 1 IP (149 i 150 sa specjalnie, bo iptables ma jakis problem - nie dziala - jak obie wartosci sa takie same) iptables -A INPUT -p tcp --dport 7171:7172 -m hashlimit --hashlimit-mode srcip --hashlimit-above 149/sec --hashlimit-burst 150 --hashlimit-name conn_7171_rate_packets_sec -j REJECT --reject-with tcp-reset # 10 kb transferu przychodzacego na sekunde na 1 IP, tibia moze przyslac wiele pakietow w 1 pakiecie sieciowym, # wiec 150 pakietow sieciowych moze zawierac 15000 pakietow do obslugi w dispatcherze, tutaj limitujemy taki spam z bota iptables -A INPUT -p tcp --dport 7171:7172 -m hashlimit --hashlimit-above 10kb/s --hashlimit-mode srcip --hashlimit-name bandwidth_7171_sec -j REJECT --reject-with tcp-reset
If you are running website on your host with direct access by IP, you can apply similar rules to ports 80 (HTTP) and 443 (HTTPS).
Anyway, only real protection for website is cloudflare.com [it's free, you don't need 'paid' plan to get full protection] that filters packets between your host and users.
If you configure your website to run 'behind cloudflare', you can run this to limit access to www ports only for cloudflare servers:
Bash:for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
once again thank you so much brother! i will apply this rules