Due to recent NTP reflection attacks I wanted to lock down my server. I want to rate limit incoming packets on port 123 (NTP) by source address. A single NTP source should not send more than 10 packets every 30 seconds. The following IPTables rule will track incoming NTP traffic and ensure no single IP is allowed to send beyond the threshold.
iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --set --name NTPTRAFFIC --rsource iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --update --seconds 30 --hitcount 10 --name NTPTRAFFIC --rsource -j DROP iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -j ACCEPT # Just to view stats with "iptables -vnL"
recent IPTables module has some limitations. By default it only tracks the most recent 100 IPs, and the last ten packets from each. If you have a large amount of source IPs hitting you, those limits may not be enough. You can get information about the module and what it can track with:
Then you can change the amount of packets tracked, and the amount of IPs to track:
echo 250 > /sys/module/xt_recent/parameters/ip_list_tot echo 60 > /sys/module/xt_recent/parameters/ip_pkt_list_tot
The defaults are pretty good, unless you have a REALLY busy server.