Firewall (iptables) rule to limit Apache connections

[Greg Rundlett (freephile)]

I'm running Apache on a RedHat ES 4 with a 2.6.9 kernel.

Occasionally we'll get a bunch of web requests from a single source (example
user agent of HTTrack or Opera or IE5 will all give a user the ability to
make a huge number of web requests).  This ties up our Apache server as all
available workers are sending responses (and might be waiting on the
client-side connection speed as well).  "Ties up" as in DoS -- nobody else
can get to the website.

I'm wondering what iptables rule might be able to throttle / limit the
number of connections to a particular IP based on the connection state.

The Linux Home Networking website has a great article on IPTables
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
and
points to using the syn flag and limit combo, but I don't think that is
actually an answer to my problem
e.g.
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

I say I don't think that's an answer because I'm not trying to prevent syn
floods, I'm just trying to limit resource utilization by a particularly
"hungry customer" by serving the food at a measured (slow) pace if they eat
too fast.

There are some (bandwidth-related) Apache modules that seem to touch on this
problem domain.  For example mod_cband, mod_bw, mod_qos or limitipconn but
only mod_cband appears to be applicable to my environment and reasonably
maintained.

I was more interested in an iptables rule that I could dynamically create
(perhaps tying into portsentry) or else a squid solution because it would be
more future proof as we plan to update the hosting environment shortly.
 What solution have you used?

Thanks,

Greg Rundlett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20100518/23485c3a/attachment.html