Skip to content

Enable/Disable Rate Limits

GateKeeper by default blocks any IP address from making more than 24 new HTTP/HTTPS connections per second. This is an effective method to mitigate simple flood attacks. Automated attack tools often try to open thousands of connections per second from a single IP to overwhelm a server. Default GateKeeper rules for rate-limiting disallow such behavior at a network level, meaning that GateKeeper becomes the first line of defense, filtering out noisy traffic before it even reaches to BotGuard server.

In this guide, you can learn how to remove rate-limiting firewall rules on each GateKeeper server so that ports 80 (HTTP) and 443 (HTTPS) are no longer subject to the recent/hitcount drop rule. The following instructions explain how you can edit the persistent iptables files and then reload them.

Iptables

Iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn't find one, it resorts to the default action.

Prequisites

  • The IP address of each GateKeeper server that you wish to change rate-limiting firewall rules in. The example IP address below is 12.23.34.45.
  • The root password or an SSH key that enables you to log into the desired GateKeeper server as root (or a user with sudo).

Disabling Rate-Limiting Firewall Rules

  1. Connect to the GateKeeper over SSH. On your computer (macOS/Linux Terminal or Windows PowerShell), execute the command: ssh root@12.23.34.45
  2. If prompted about authenticity, type yes and press the Enter key on your keyboard.
  3. If prompted, enter the root password for your GateKeeper instance. If direct root SSH is disabled, log in as a normal user and add sudo in front of the commands below (e.g., sudo nano /etc/iptables/rules.v4).
  4. On your system, navigate to the folder where iptables are stored: cd /etc/iptables
  5. Check that the files exist: ls -l. Inside this folder, you can find rules.v4 (IPv4) and if it exists for your current setup, rules.v6 (IPv6).

  6. Edit the IPv4 file with an editor (such as nano): nano rules.v4

    1. Press Ctrl+W. Then type http_limit, and press Enter to find the first line.
    2. Move the cursor to the start of the matching line and type # to comment it out.
    3. Press Ctrl+W again, search for https_limit, and press Enter to find the first line.
    4. Move the cursor to the start of the matching line and type # to comment it out.

    5. Ensure that both lines look like this:

      # -A INPUT -p tcp --dport 80  -m conntrack --ctstate NEW -m recent --update --name http_limit  --seconds 1 --hitcount 25 -j DROP

      # -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --name https_limit --seconds 1 --hitcount 25 -j DROP

    6. On your keyboard, use Ctrl+O, then Enter to save.

    7. Then use Ctrl+X to exit.

  7. Repeat the previous substeps to edit the IPv6 file: nano rules.v6

  8. Apply (reload) the new rules. The following commands read the file and replace the active ruleset:

    • IPv4: iptables-restore rules.v4 # IPv4 rules
    • IPv6: ip6tables-restore rules.v6 # IPv6 rules
    • In the case of using more than a single GateKeeper, repeat all the above steps for other GateKeeper instances.

Delete vs comment

You can delete the lines instead of commenting. However, commenting is safer because you can restore them easily later.

Enabling Rate-Limiting Firewall Rules

To reinstate/enable rate limiting again, repeat the steps found in Disabling Rate-Limiting Firewall Rules, only remove the # from the start of each line.

Feedback