Connection throttling POP3.

David S. Madole david at
Mon May 21 20:02:00 EDT 2007

> From Matthew Schumacher on Monday, May 21, 2007 6:35 PM
> I agree with Blake, while I can do it with IPtables it's not 
> a good solution.
> The first iptables suggestion blocked the offending IP, which 
> is fine, but also requires me to babysit the server.  The 
> second suggestion would correctly limit connections, but if 
> I'm reading it right, would lump all connections together, 
> not just connections per originating IP address.

If you are talking about the suggestion I made, which looked like this:

iptables -A INPUT -p tcp --dport 22 \
         -m state --state NEW \
         -m recent --update --seconds 60 -j DROP

iptables -A INPUT -p tcp --dport 22 \
         -m state --state NEW \
         -m recent --set -j ACCEPT

then you did not read it right. It limits to one connection per IP address per minute. Each source address is kept track of in enforcing the limit. Using the --hitcount option in addition to the --seconds option, you can also create limits such as a maximum of four connections in two minutes, etc.


More information about the Info-cyrus mailing list