On Wed, Jul 14, 2010 at 2:03 AM, ha do <haloha201@xxxxxxxxx> wrote: > i just setup the hashlimit for SIP REGISTER on iptables and the rule is: > -A INPUT -p udp -i eth0 --dport 5060 -m hashlimit --hashlimit 1/minute > --hashlimit-burst 2 --hashlimit-mode srcip,srcport --hashlimit-name "cucku" -m > string --string "REGISTER sip:" --algo bm --to 80 -j ACCEPT > i want the iptables just to accept 2 REGISTER packets per minute on per IP > address:port There might be other issues, but you need hashlimit 2/minute to accept 2 packets per minute. Having a burst of 2 by itself is not sufficient. Sometimes, due to network latency or other timing issues, you need to be even more accepting. For example, I've found that accepting "well-behaved" pings requires a minimum hashlimit of 61/min with burst of 2. When I lower either setting, iptables starts dropping the occasional ping packet. --Mike -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
