Hello, Zhu Jing a écrit : > > My aim is limit ip access to my squid server with 1000 times per day. > If this ip connections counts more then 1000,iptables will drop it. > > I have google a lot,and write a wired scripts :P > > =========== > #!/bin/sh > iptables -F > iptables -X > iptables -Z > iptables -N squid > iptables -A INPUT -p tcp --dport 80 -j squid > iptables -A squid -m limit --limit 1/hour --limit-burst 1000 -j RETURN > iptables -A squid -j DROP > service iptables save > service iptables restart > ========== > > iptables -A squid -m limit --limit 1/hour --limit-burst 1000 -j RETURN > > IMO: this rule means ,the limit-burst token bucket is set to 1000 > initially, for each hour token count goes up by 1, when token bucket > is empty---> not match --> go next rule > But, I tested it by using IE refresh my server , when i refresh > more then 7 or 8 times ,iptables going to drop my connections, why? Because your rule limits packets, not connections. A single TCP connection involves multiple packets. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
