This morning we had a DDOS attack on our mail server. Some @$$ trying to swamp our postfix service with hundreds of connections. SO, I did something I did not want to do, but, oh well.

This following bit below will explain a few things and will allow you to limit the amount of active connections to any port on your server with iptables.

In the syntax below, -I inserts the rule at the line number you specify. The rest of your rules under this new rule will increment by one in the chain. You want to insert at the rule ON the line number for the port you are currently accepting connections and trying to limit. So if your smtp/ssmtp rule is on line number 19, you will insert this rule on line number 19.

Remember, iptables works DOWN the list and once a rule is matched it stops on that rule and does what you tell it to do. Once the criteria is met for that rule, it continues reading down the list unless a specific criteria is met that either accepts the connection or drops/rejects it, in a nut shell you could say.

To find the correct rule number to insert at, you can view your INPUT chain like so.

$ iptables --line-numbers -L INPUT

Now onto the new rule:

• After INPUT is the rule number to insert the new rule in.
• dport is the port the service is running on.
• connlimit-above is the maximum amount of connections.

$ iptables -I INPUT ## -p tcp --syn --dport 25 -m connlimit --connlimit-above 10 -j REJECT
$ iptables -I INPUT ## -p tcp --syn --dport 465 -m connlimit --connlimit-above 10 -j REJECT

When we are done, our chain should look like this:

REJECT tcp  --  anywhere anywhere tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN #conn/32 > 10 reject-with icmp-port-unreachable
ACCEPT tcp  --  anywhere anywhere tcp dpt:smtp
REJECT tcp  --  anywhere anywhere tcp dpt:ssmtp flags:FIN,SYN,RST,ACK/SYN #conn/32 > 10 reject-with icmp-port-unreachable
ACCEPT tcp  --  anywhere anywhere tcp dpt:ssmtp