Re: Help!!! iptables hashlimit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Curby

thank you for your reply
SIP server and sip endpoint is in the same LAN so what do you think about 
network lantency

do i test with this:
-A INPUT -p udp -i eth0 --dport 5060 -m hashlimit --hashlimit 70/minute 
--hashlimit-burst 10  --hashlimit-mode srcip,srcport --hashlimit-name "cucku" -m 
string --string "REGISTER sip:" --algo bm --to 80 -j ACCEPT


the iptables still drop packet

i checked again the man page and see : 
[--hashlimit-htable-gcinterval] interval between garbage collection runs

could you guide me how to use it

Thank you
Ha`

----- Original Message ----
From: Curby <curby@xxxxxx>
To: ha do <haloha201@xxxxxxxxx>
Cc: netfilter@xxxxxxxxxxxxxxx
Sent: Wed, July 14, 2010 3:39:51 PM
Subject: Re: Help!!! iptables hashlimit

On Wed, Jul 14, 2010 at 2:03 AM, ha do <haloha201@xxxxxxxxx> wrote:
> i just setup the hashlimit for SIP REGISTER on iptables and the rule is:
> -A  INPUT -p udp -i eth0 --dport 5060 -m hashlimit --hashlimit 1/minute
> --hashlimit-burst 2 --hashlimit-mode srcip,srcport  --hashlimit-name  "cucku" 
>-m
> string --string "REGISTER sip:" --algo bm --to 80 -j ACCEPT

> i want the iptables just to  accept 2 REGISTER packets per minute on per IP
> address:port

There might be other issues, but you need hashlimit 2/minute to accept
2 packets per minute.  Having a burst of 2 by itself is not
sufficient.

Sometimes, due to network latency or other timing issues, you need to
be even more accepting.  For example, I've found that accepting
"well-behaved" pings requires a minimum hashlimit of 61/min with burst
of 2.  When I lower either setting, iptables starts dropping the
occasional ping packet.

--Mike



      
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux