>> You could use dstlimit with --dstlimit-mode srcip-dstip >> and probably save some rules. >> >> With dstlimit, you also get an overview of which connections are currently >> limited, and their burst status, in /proc/net/ipt_dstlimit/DSTLIMIT_NAME >> It's because I think some burst math allows to have a second packet sneak in. > >Won't I have the same problem with it? Probably, but it helps to diagnose the problem thanks procfs. >http://www.netfilter.org/patch-o-matic/pom-obsolete.html#pom-obsolete-dstlimit, >it's deprecated by hashlimit, but on According to the hashlimit POMng help file and netfilter website |The idea is to have something like 'limit', but either per |destination-ip or per (destip,destport) tuple. it does not look like it can handle (srcip,dstip) tuples. Though, the codebase has flags for SIP, SPT, DIP and DPT, so I guess it maybe can. Someone enlighten me? >/sbin/iptables -t nat -I PREROUTING -p tcp -s $IP -i $LAN_DEV --sport >1024: --dport 80 --syn -m limit --limit 1/d --limit-burst 1 -j REDIRECT >--to-port 5000 -m dstlimit --dstlimit 1/d --dstlimit-burst 1 --dstlimit-mode srcip-dstip --dstlimit-name trafficcontrol Jan Engelhardt --
