The connlimit module in iptables is an excellent defence against Apache Denial of Service attacks. However, since upgrading to Karmic, iptables is no longer blocking simultaneous connections when requested for me.
I had previously been using:
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 -j REJECT
However, worryingly, it no longer works for me. I can establish 20 simultaneous connections with the above firewall rule in place. I believe this should be fixed with some urgency, as my webserver has already been taken offline once by an attack (I stopped the attack by firewalling the attacker's IP address manually).
The connlimit module in iptables is an excellent defence against Apache Denial of Service attacks. However, since upgrading to Karmic, iptables is no longer blocking simultaneous connections when requested for me.
I had previously been using:
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 -j REJECT
However, worryingly, it no longer works for me. I can establish 20 simultaneous connections with the above firewall rule in place. I believe this should be fixed with some urgency, as my webserver has already been taken offline once by an attack (I stopped the attack by firewalling the attacker's IP address manually).
I've filed a bug report, please check your iptables connlimit and report back either way: /bugs.launchpad .net/ubuntu/ +source/ iptables/ +bug/478290
https:/