fad*_*bee 6 linux iptables limits
我有一些问题网络客户端发送数据太快。
我想减慢它们的速度,使用 iptables,或者可能使用 tc。
我见过 iptables 解决方案,如:
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
但我认为该限制适用于符合规则的所有内容,而不是每个客户端地址。
有没有办法让这个规则限制每个客户端地址的数据包?
你可以用一个简单的方法解决这个问题,尝试使用最近的模块与iptables,最近的跟踪源地址:
iptables -m recent -h
recent match options:
[!] --set Add source address to list, always matches.
[!] --rcheck Match if source address in list.
[!] --update Match if source address in list, also update last-seen time.
[!] --remove Match if source address in list, also removes that address from list.
--seconds seconds For check and update commands above.
Specifies that the match will only occur if source address last seen within
the last 'seconds' seconds.
--reap Purge entries older then 'seconds'.
Can only be used in conjunction with the seconds option.
--hitcount hits For check and update commands above.
Specifies that the match will only occur if source address seen hits times.
May be used in conjunction with the seconds option.
--rttl For check and update commands above.
Specifies that the match will only occur if the source address and the TTL
match between this packet and the one which was set.
Useful if you have problems with people spoofing their source address in order
to DoS you via this module.
--name name Name of the recent list to be used. DEFAULT used if none given.
--rsource Match/Save the source address of each packet in the recent list table (default).
--rdest Match/Save the destination address of each packet in the recent list table.
--mask netmask Netmask that will be applied to this recent list.
阻止 ssh 暴力破解的示例:
iptables -A INPUT -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --set
iptables -A INPUT -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 30 --hitcount 2 -j DROP
| 归档时间: |
|
| 查看次数: |
3935 次 |
| 最近记录: |