Re: question on rating SYN packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Leonardo Rodrigues Magalhães wrote:

    I already do limit of parallel connections. But I'd also like to limit
the number of NEW connections from EACH host.

    Let's suppose I'll allow 10 parallel connections per host per port.
That's easy with iplimit. But I'd also like to limit 1 new connection per
second. So a single host wouldnt establish 10 new connections in 1 second,
for example. I'd like to allow 10 connections in parallel ( iplimit does
this ) and 1 new connection per second PER host ( this I dont know how to
do ).

    Is this possible, somehow, with iptables ?

    Sincerily,
    Leonardo Rodrigues

iptables -N synlimit
iptables -A INPUT -i eth0 -p tcp --dport 80 -j synlimit
iptables -A synlimit -m recent --rcheck --seconds 1 --name onesec -j DROP
iptables -A synlimit -m iplimit --iplimit-above 10 -j DROP
iptables -A synlimit -m recent --update --name onesec -j ACCEPT

I don't know if this would work, but it's my best guess.. gl.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux