Re: Hot to design syn-flood protection based on ip ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Marek Kierdelewicz wrote:
> Hello,
>
>   
>> Any clue ?
>>     
>
> You're on the right track. Just use "hashlimit" module instead of
> "limit".Use option "--hashlimit-mode srcip". All necessary info is in
> iptables manpage.
>   

Thanks a lot, what about this ruleset ?

iptables -A INPUT -p tcp --syn  -m hashlimit \
 --hashlimit 1/sec --hashlimit-burst 4 --hashlimit-htable-expire 300000 \
--hashlimit-mode srcip --hashlimit-name testlimit -j ACCEPT
 
iptables -A INPUT -j DROP

The concept here the blocked ip doing the syn-flood will be blacklisted
for 5 min and will be checked again after that interval.


> Best regards,
> Marek
>
>   

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux