Dear All, I'd like to know whether we can (by using iptables rules) restrict connection rates in the following way: We need to limit number of TCP connections request per a second, but without restrictions on at which exact time slot within the one second period the connection attempts (SYN packets) arrive. Let's consider the following scenario: The connection rate limitation specified in iptables should accept just 10 new TCP connections (SYN packets) per one second. By using limit, or hashlimit match module we can achieve that but based on our tryings, the iptables works in a way that just one SYN packet is acceptable within 1/10s (i.e. 100 ms). It means, that if, for example, 9 SYN packets arrive in the first 100ms then just one packet is accepted and the rest is rejected even when no new SYN packet arrives within subsequent 900ms. I know, that we could set burst value to any number higher than one, but it doesn't solve the problem if several SYN packets arrive at the beggining of the time period and previous time period was fully loaded. I'd like to know whether it is feasible to set the iptables so that some total number of new connection requests (comming from ANY IP address but aiming to some specific port) can be accepted regardless on exact timing. Best regards and thanks for your ideas in advance, Michal Bliznak -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
