How to Configure UFW Rate Limiting for Port 80 and Exclude Ports 30000-30005


1 views

UFW (Uncomplicated Firewall) provides a simplified interface for iptables, including connection rate limiting functionality. The default rate limiting rule blocks IPs that attempt more than 6 connections within 30 seconds. This is particularly useful against brute-force attacks.

To limit incoming connections on port 80 to 20 per 30 seconds, we need to modify the default rate limiting behavior:

sudo ufw limit 80/tcp comment 'Rate limit HTTP traffic'

However, UFW's built-in limit command doesn't directly support custom connection counts. For more granular control, we need to create custom rules:

sudo ufw insert 1 deny proto tcp from any to any port 80 \
mhash --hashlimit 20/minute --hashlimit-burst 30 \
--hashlimit-mode srcip --hashlimit-name http_limit

To disable rate limiting for ports 30000-30005, we can use these commands:

for port in {30000..30005}; do
    sudo ufw allow $port/tcp comment 'Excluded from rate limiting'
done

To verify your configuration:

sudo ufw status numbered

Or for more detailed iptables inspection:

sudo iptables -L -n -v | grep hashlimit

1. UFW's default rate limiting (6/30s) applies only when explicitly enabled per service
2. Custom rate limiting requires iptables knowledge despite UFW's "uncomplicated" nature
3. Changes persist after reboot when using UFW's native commands
4. For complex scenarios, consider direct iptables rules or frontend solutions like fail2ban

Here's a practical example for securing a web server while excluding game server ports:

# Basic rate limiting for SSH
sudo ufw limit ssh/tcp

# Custom HTTP rate limiting
sudo ufw insert 1 deny proto tcp from any to any port 80 \
mhash --hashlimit 20/minute --hashlimit-burst 30 \
--hashlimit-mode srcip --hashlimit-name http_limit

# Exclude game server ports
for port in {30000..30005}; do
    sudo ufw allow $port/tcp
done

# Enable UFW
sudo ufw enable

UFW (Uncomplicated Firewall) implements rate limiting through iptables' recent module. The default configuration (as mentioned in man pages) blocks IPs attempting more than 6 connections in 30 seconds. This works well for SSH protection, but web servers often need custom thresholds.

To limit port 80 to 20 connections per 30 seconds:

sudo ufw limit proto tcp to any port 80 comment 'HTTP rate limit'

This creates iptables rules with these parameters:

  • Burst: 20 connections
  • Time window: 30 seconds
  • Action: Drop exceeding packets

For ports 30000-30005, we need to add explicit ALLOW rules before the rate limiting rules:

sudo ufw allow 30000:30005/tcp
sudo ufw allow 30000:30005/udp

The order matters - UFW processes rules sequentially from top to bottom in /etc/ufw/user.rules.

Check active rules with:

sudo ufw status numbered

For detailed iptables inspection:

sudo iptables -L -n -v | grep -i 'limit'

For precise control, edit /etc/ufw/before.rules:

# Port 80 rate limiting
-A ufw-before-input -p tcp --dport 80 -m state --state NEW -m recent --set --name HTTP
-A ufw-before-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name HTTP -j DROP

# Port range exemption
-A ufw-before-input -p tcp --match multiport --dports 30000:30005 -j ACCEPT

Remember to reload after changes:

sudo ufw disable && sudo ufw enable

UFW doesn't enable rate limiting by default except for specific services when explicitly configured. Some recommendations:

  • Always test new rules in non-production environments
  • Monitor /var/log/ufw.log for dropped connections
  • Consider combining with fail2ban for enhanced protection