Re: Help!!! iptables hashlimit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jul 14, 2010 at 2:03 AM, ha do <haloha201@xxxxxxxxx> wrote:
> i just setup the hashlimit for SIP REGISTER on iptables and the rule is:
> -A  INPUT -p udp -i eth0 --dport 5060 -m hashlimit --hashlimit 1/minute
> --hashlimit-burst 2 --hashlimit-mode srcip,srcport  --hashlimit-name  "cucku" -m
> string --string "REGISTER sip:" --algo bm --to 80 -j ACCEPT

> i want the iptables just to  accept 2 REGISTER packets per minute on per IP
> address:port

There might be other issues, but you need hashlimit 2/minute to accept
2 packets per minute.  Having a burst of 2 by itself is not
sufficient.

Sometimes, due to network latency or other timing issues, you need to
be even more accepting.  For example, I've found that accepting
"well-behaved" pings requires a minimum hashlimit of 61/min with burst
of 2.  When I lower either setting, iptables starts dropping the
occasional ping packet.

--Mike
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux