Part 7: Create a secure iptables configuration

I have a fairly secure iptables configuration.

I have left the sshd allowed port to 22.

It can be reviewed at this gist.

The interesting thing is the use of limit and limit-burst.

This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the LOG target to give limited logging, for example.

xt_limit has no negation support – you will have to use -m hashlimit ! –hashlimit rate in this case whilst omitting –hashlimit-mode.

–limit rate[/second|/minute|/hour|/day]
Maximum average matching rate: specified as a number, with an optional `/second’, `/minute’, `/hour’, or `/day’ suffix; the default is 3/hour.
–limit-burst number
Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: