Hi! Some computers in my network are flooding the dns server with mx queries generated by some virus, at a rate of 2/second or so. I can't use the string match as suggested before because of my kernel version. I can't forbid MX queries in the server because there could be valid queries, so the only way to match the virus is the speed or number of queries. I've tried the following to match only the virus but not the normal clients (people surfing the web mainly): iptables -A INPUT -p udp -d server_ip --dport 53 -m limit --limit 40/minute --limit-burst 2000 -j ACCEPT But it doesn't work. Any ideas? Thanks a bunch!
