J. Bakshi wrote: > Marek Kierdelewicz wrote: > >>> Hello all, >>> >>> >> Hello J., >> >> >> >>> I am dared to see what "ab" (apache benchmarking too) can do against >>> an apache server. I have used the following against my server to check >>> call handling >>> >>> >> You can use hashlimit [1] match of iptables to limit concurrent >> connections from single IP. >> >> [1] http://linux.die.net/man/8/iptables -> lookup hashlimit; note: >> current versions of hashlimit can also use srcip as --hashlimit-mode; >> that's probably what you want >> >> Cheers, >> Marek Kierdelewicz >> >> >> > > Hello Marek, > > thanks for your prompt reply. I'll look into the hashlimit as you > suggest. Though a question in mind. Can It somehow affect the web > access from general users. ? I need the protection but also don't like > my protection makes the web service block general users somehow :-) > > Any real-life configuration is always Welcome. > > Thanks > > What about modifying iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT to |iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 \| |--hashlimit 200/sec --hashlimit-mode srcip --hashlimit-name http \ | |-m state --state NEW -j ACCEPT| ? -- জয়দীপ বক্সী -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
