{"id":36,"date":"2013-01-11T17:44:51","date_gmt":"2013-01-11T16:44:51","guid":{"rendered":"http:\/\/jjtronics.com\/wordpress\/?p=36"},"modified":"2016-11-09T11:38:16","modified_gmt":"2016-11-09T10:38:16","slug":"iptable-limiter-le-nombre-de-connexions-par-ip","status":"publish","type":"post","link":"https:\/\/www.jjtronics.com\/wordpress\/2013\/01\/11\/iptable-limiter-le-nombre-de-connexions-par-ip\/","title":{"rendered":"Iptable : Limiter le nombre de connexions par IP"},"content":{"rendered":"
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --name BLACKLIST --set\r\niptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP<\/pre>\n
Avec les deux r\u00e8gles pr\u00e9c\u00e9dentes je refuse (DROP) les nouvelles (-m state –state NEW) connexions entrantes (-A INPUT) au port http (–dport 80) qui atteignent le taux de 10 connexions (–hitcount 10) sur une p\u00e9riode de 10 secondes (–seconds 10) et qui utilisent le protocol tcp (-p tcp).<\/p>\n
La premi\u00e8re r\u00e8gle sert \u00e0 mettre \u00e0 jour l’adresse IP<\/strong>\u00a0dans la liste BLACKLIST et la seconde r\u00e8gle permet de\u00a0limiter les connexions<\/strong>.<\/p>\n
 <\/p>\n
Bloquer les attaquants sur une p\u00e9riode plus grande que le taux<\/h3>\n
Le probl\u00e8me des r\u00e8gles pr\u00e9c\u00e9dentes est que l’adresse IP attaquante est bloqu\u00e9e sur une p\u00e9riode glissante qui n’est que de 10 secondes.<\/p>\n
Pour bloquer sur une p\u00e9riode diff\u00e9rentes que celle qui d\u00e9finit par le\u00a0taux limite<\/strong>\u00a0j’ai mis en place les r\u00e8gles suivantes :<\/p>\n
Cr\u00e9ation d’une nouvelle chaine BLACKLIST :<\/p>\n
iptables -N BLACKLIST<\/pre>\n
Lorsqu’un paquet arrive dans la chaine BLACKLIST on le drop et on ajoute son IP dans la liste BLACKLIST :<\/p>\n
iptables -A BLACKLIST -m recent --name BLACKLIST --set -j DROP<\/pre>\n
On bloque les paquets pour une p\u00e9riode de 60 secondes :<\/p>\n
iptables -A INPUT -m recent --update --name BLACKLIST --seconds 60 --rttl -j DROP<\/pre>\n
Quand un paquet arrive en entr\u00e9e sur le port 80 on met son IP dans la liste COUNTER :<\/p>\n
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --name COUNTER --set<\/pre>\n
Si un paquet arrive en entr\u00e9e et qu’il d\u00e9passe le taux on le redirige dans la chaine BLACKLIST :<\/p>\n
<\/pre>\n
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --name COUNTER --update --seconds \r\n10 --hitcount 10 --rttl -j BLACKLIST<\/pre>\n
 <\/p>\n
http:\/\/dev.petitchevalroux.net\/linux\/iptable-limiter-nombre-connexions-par-linux.342.html<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
iptables -A INPUT -p tcp –dport 80 -m state –state NEW -m recent –name BLACKLIST –set iptables -A INPUT -p [&hellip<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[15,2,5],"tags":[101,87,88,89,90,100,77,111],"class_list":["post-36","post","type-post","status-publish","format-standard","hentry","category-iptable","category-linux","category-linux-shell","tag-firewall","tag-linux-2","tag-mac","tag-mac-os","tag-mac-os-x","tag-o","tag-tcp","tag-x"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6YUVZ-A","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.jjtronics.com\/wordpress\/wp-json\/wp\/v2\/posts\/36","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jjtronics.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jjtronics.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jjtronics.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jjtronics.com\/wordpress\/wp-json\/wp\/v2\/comments?post=36"}],"version-history":[{"count":4,"href":"https:\/\/www.jjtronics.com\/wordpress\/wp-json\/wp\/v2\/posts\/36\/revisions"}],"predecessor-version":[{"id":208,"href":"https:\/\/www.jjtronics.com\/wordpress\/wp-json\/wp\/v2\/posts\/36\/revisions\/208"}],"wp:attachment":[{"href":"https:\/\/www.jjtronics.com\/wordpress\/wp-json\/wp\/v2\/media?parent=36"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jjtronics.com\/wordpress\/wp-json\/wp\/v2\/categories?post=36"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jjtronics.com\/wordpress\/wp-json\/wp\/v2\/tags?post=36"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}