Answer:
We can make INPUT policy drop to block everything and allow specific ports only
# allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow your application port
iptables -I INPUT -p tcp --dport 42605 -j ACCEPT
# allow SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
# Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow localhost
iptables -A INPUT -i lo -j ACCEPT
# block everything else
iptables -A INPUT -j DROP
Another question, would this be the right way to test, or maybe I should use "netstat" command to see which port has connection established with the other ip?
Yes, you can check netstat -antop | grep app_port and you can also use strace :
strace -f -e trace=network -s 10000 PROCESS ARGUMENTS
To monitor an existing process with a known pid:
strace -p $( pgrep application_name) -f -e trace=network
-s 10000
2) Have an IPtables rule which blocks incoming requests when a specific connection limit is reached:
iptables -A INPUT -p tcp --syn --dport 7000 -m connlimit --connlimit-above 3500 --connlimit
Would it be possible to block a ICMP (PING) responses when connections on port 7000 reach a certain limit?
Answer:
The answer is no. If you want to block ICMP, please use -p icmp instead of -p tcp.
There is one more thing you should clarity: ICMP is layer3
protocol, but port number is defined in layer4. So you never find port
number concept with ICMP.
Notes:
Here are some common iptables commands.
iptables -n -L [chain]
Display the rules currently in place. The -n option shows rules by IP addresses, instead of DNS resolved host names. If a
chain is specified, only the rules for that chain are displayed.
iptables -N <chain>
Start a new chain with a specified name.
iptables -F [chain]
Flush or remove rules of a chain or all rules. Be VERY careful with using this, especially if no chain is specified
iptables -I <chain> 1 -s <ip> -j DROP
Add a rule to a chain to drop datagrams received from a specified IP address. The 1 after the chain name means to make this the first rule in the chain. We generally put rules to deny access before rules to allow access. The DROP command (-j target specification) means to silently through the data away. A REJECT command could also have been used, which would send an error message via the ICMP protocol to the sender. If the sender is suspected of malicious intent, then the DROP command is usually preferred.
iptables -D <chain> -s <ip> -j DROP
Remove the rule from a chain to drop datagrams received from a specified IP.
