How to use iptables "limit" and other goodies in LEDE?

Installing and Using OpenWrt
1

Dear all,

I am in the process of migrating small websites of mine (mostly "maths" websites) to self-hosting and I will be using LEDE for the infrastructure. I am quite careful as this is fiber.

When redirecting http or https to a host, is there a way to trigger some iptables goodies

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset

This will reject connections above 15 from one source IP.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT

In this 160 new connections (packets really) are allowed before the limit of 150 NEW connections (packets) per second is applied.

Can it be done easily in LEDE?

2

Some of the options for IPTABLES may not have been implemented in UCI, and you cannot use them at "/etc/config/firewall". If that happens, remember that there are "config include" sections in that file, that invoque other files, where you can issue direct IPTABLES commands.

3

Thanks, I am going to have a look at this. I seems that LIMIT is actually supported:

https://wiki.openwrt.org/doc/uci/firewall

limit string no (none) Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/second, 3/sec or 3/s.
limit_burst integer no 5 Maximum initial number of packets to match, allowing a short-term average above limit

I will test in uci and see will update LEDE documentation accordingly:
https://lede-project.org/docs/user-guide/firewall_configuration

Thanks!