Hello,
Peter Renzland a écrit :
I have often seen rules such as:
iptables -I FORWARD -p tcp --syn -m iprange --src-range
192.168.1.10-192.168.1.250 -m connlimit --connlimit-above 150 -j DROP
How is this, in effect, different from?:
iptables -I FORWARD -p tcp -m iprange --src-range
192.168.1.10-192.168.1.250 -m connlimit --connlimit-above 150 -j DROP
connlimit matches *any* TCP packet as soon as there are enough existing
TCP connections from the source address or prefix, including packets
belonging to established connections. --syn makes sure that the rule
matches only SYN packets creating a new connection, without disrupting
established connections. Another way to achieve this is to match only
packets in the state NEW, as explained by Nikolay.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
