Hi Curby
thank you for your reply
SIP server and sip endpoint is in the same LAN so what do you think about
network lantency
do i test with this:
-A INPUT -p udp -i eth0 --dport 5060 -m hashlimit --hashlimit 70/minute
--hashlimit-burst 10 --hashlimit-mode srcip,srcport --hashlimit-name "cucku" -m
string --string "REGISTER sip:" --algo bm --to 80 -j ACCEPT
the iptables still drop packet
i checked again the man page and see :
[--hashlimit-htable-gcinterval] interval between garbage collection runs
could you guide me how to use it
Thank you
Ha`
----- Original Message ----
From: Curby <curby@xxxxxx>
To: ha do <haloha201@xxxxxxxxx>
Cc: netfilter@xxxxxxxxxxxxxxx
Sent: Wed, July 14, 2010 3:39:51 PM
Subject: Re: Help!!! iptables hashlimit
On Wed, Jul 14, 2010 at 2:03 AM, ha do <haloha201@xxxxxxxxx> wrote:
> i just setup the hashlimit for SIP REGISTER on iptables and the rule is:
> -A INPUT -p udp -i eth0 --dport 5060 -m hashlimit --hashlimit 1/minute
> --hashlimit-burst 2 --hashlimit-mode srcip,srcport --hashlimit-name "cucku"
>-m
> string --string "REGISTER sip:" --algo bm --to 80 -j ACCEPT
> i want the iptables just to accept 2 REGISTER packets per minute on per IP
> address:port
There might be other issues, but you need hashlimit 2/minute to accept
2 packets per minute. Having a burst of 2 by itself is not
sufficient.
Sometimes, due to network latency or other timing issues, you need to
be even more accepting. For example, I've found that accepting
"well-behaved" pings requires a minimum hashlimit of 61/min with burst
of 2. When I lower either setting, iptables starts dropping the
occasional ping packet.
--Mike
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
