I am in the process of migrating small websites of mine (mostly "maths" websites) to self-hosting and I will be using LEDE for the infrastructure. I am quite careful as this is fiber.
When redirecting http or https to a host, is there a way to trigger some iptables goodies
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
This will reject connections above 15 from one source IP.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT
In this 160 new connections (packets really) are allowed before the limit of 150 NEW connections (packets) per second is applied.
Can it be done easily in LEDE?
Some of the options for IPTABLES may not have been implemented in UCI, and you cannot use them at "/etc/config/firewall". If that happens, remember that there are "config include" sections in that file, that invoque other files, where you can issue direct IPTABLES commands.
Thanks, I am going to have a look at this. I seems that LIMIT is actually supported:
limit string no (none) Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/second, 3/sec or 3/s.
limit_burst integer no 5 Maximum initial number of packets to match, allowing a short-term average above limit
I will test in uci and see will update LEDE documentation accordingly: