Configuring UFW
The following instructions are targeted at UFW, but it is really just a wrapper so it should be easy to adapt them for a generic system.
Edit /etc/ufw/before.rules, putting each part where it belongs
| ### Add those lines after *filter near the beginning of the file | |
| :ufw-http – [0:0] | |
| :ufw-http-logdrop – [0:0] | |
| ### Add those lines near the end of the file | |
| ### Start HTTP ### | |
| # Enter rule | |
| -A ufw-before-input -p tcp –dport 80 -j ufw-http | |
| -A ufw-before-input -p tcp –dport 443 -j ufw-http | |
| # Limit connections per Class C | |
| -A ufw-http -p tcp –syn -m connlimit –connlimit-above 50 –connlimit-mask 24 -j ufw-http-logdrop | |
| # Limit connections per IP | |
| -A ufw-http -m state –state NEW -m recent –name conn_per_ip –set | |
| -A ufw-http -m state –state NEW -m recent –name conn_per_ip –update –seconds 10 –hitcount 20 -j ufw-http-logdrop | |
| # Limit packets per IP | |
| -A ufw-http -m recent –name pack_per_ip –set | |
| -A ufw-http -m recent –name pack_per_ip –update –seconds 1 –hitcount 20 -j ufw-http-logdrop | |
| # Finally accept | |
| -A ufw-http -j ACCEPT | |
| # Log-A ufw-http-logdrop -m limit –limit 3/min –limit-burst 10 -j LOG –log-prefix “[UFW HTTP DROP] “ | |
| -A ufw-http-logdrop -j DROP | |
| ### End HTTP ### |
Make sure ufw runs and reload everything using ufw reload.