So, let's get started, install iptables:
yum -y install iptables
IPTables, by default only timestamps and tracks up to 20 connections. Which isn't very many. This means that by default if you use --hitcount 21 you'll error out. You can control the limit by updating /etc/modprob.d/modprobe.conf:
options ipt_recent ip_pkt_list_tot=50
Then, reload the ipt_recent kernel module:
rmmod ipt_recent modprobe ipt_recent
Next, create the script that will add the rules (vi /tmp/limit.sh):
# Create a LOGDROP chain to log and drop packets iptables -N LOGDROP iptables -A LOGDROP -j LOG iptables -A LOGDROP -j DROP iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name "limit-http" --rsource iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 --name "limit-http" --rsource -j LOGDROP iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --set --name "limit-https" --rsource iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 --name "limit-https" --rsource -j LOGDROP iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
Execute that script:
sh /tmp/limit.sh
Now, we want these rules to be applied on each reboot, so only do this if you have nothing in /etc/sysconfig/iptables - which most ec2 clients don't even have. If you have stuff in there, just bake the above in. so do (on CentOS/RHEL derivatives):
iptables-save > /etc/sysconfig/iptables
To check, do:
service iptables stop service iptables start service iptables status
Helpful NOTES:
You can see what the packet filter is doing, in real time, like this:
watch iptables -nvx -L
Also, you can use apache's benchmarking program, ab to trip the filter for testing purposes, like this:
ab -n 1000 -c 5 http://IP/index.html
Where 1000 is the total number of requests and 5 is the number of concurrent requests.
So, to test it out, point that at your webserver and tail /var/log/messages, and you'll find that you start dropping packets from the client running apache bench.
You're welcome! :)