请教关于iptables 防CC的策略。

井蛙夏虫

回复 1# cnmt
在我的系统上(fedora 16):
man iptables

1. --hitcount hits
   
2.               This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the  match  to  only  happen
   
3.               when  the  address  is in the list and packets had been received greater than or equal to the given value. This option may be used
   
4.               along with --seconds to create an even narrower match requiring a certain number of hits within a specific time frame.The maximum
   
5.               value  for the hitcount parameter is given by the "ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this value
   
6.               on the command line will cause the rule to be rejected.
   

复制代码

1. The module itself accepts parameters, defaults shown:
   
2. ip_pkt_list_tot=20
   
3.               Number of packets per address remembered.

复制代码

井蛙夏虫

回复 12# cnmt
http://bbs.chinaunix.net/thread-4081206-1-1.html