J. Bakshi wrote: > J. Bakshi wrote: > >> Marek Kierdelewicz wrote: >> >> >>>> Hello all, >>>> >>>> >>>> >>> Hello J., >>> >>> >>> >>> >>>> I am dared to see what "ab" (apache benchmarking too) can do against >>>> an apache server. I have used the following against my server to check >>>> call handling >>>> >>>> >>>> >>> You can use hashlimit [1] match of iptables to limit concurrent >>> connections from single IP. >>> >>> [1] http://linux.die.net/man/8/iptables -> lookup hashlimit; note: >>> current versions of hashlimit can also use srcip as --hashlimit-mode; >>> that's probably what you want >>> >>> Cheers, >>> Marek Kierdelewicz >>> >>> >>> >>> >> Hello Marek, >> >> thanks for your prompt reply. I'll look into the hashlimit as you >> suggest. Though a question in mind. Can It somehow affect the web >> access from general users. ? I need the protection but also don't like >> my protection makes the web service block general users somehow :-) >> >> Any real-life configuration is always Welcome. >> >> Thanks >> >> >> > > What about modifying > > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > > to > > |iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 \| > |--hashlimit 200/sec --hashlimit-mode srcip --hashlimit-name http \ | > |-m state --state NEW -j ACCEPT| > > ? > > I get success with ` ` ` iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 \ --hashlimit 400/sec \ --hashlimit-mode srcip --hashlimit-name http \ -m state --state NEW -j ACCEPT ` ` ` Now I like to add IP blocking for 1 min. I have added --hashlimit-burst 200 --hashlimit-htable-expire 60000 and the rule failed to work at all. I think --hashlimit-burst need to set to work properly. But what is the actual concept of --hashlimit-burst ? Is it really mandatory here to block IP ? Please suggest. My rule is working fine but the IP blocking is missing only. Please let me know the actual concept behind --hashlimit-burst . Thanks -- জয়দীপ বক্সী -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
