- 论坛徽章:
- 1
|
原帖由 thatday 于 2006-3-3 11:47 发表
这个好像是需要connlimit和random模块吧?我刚好没编译这两个,想知道,如果不通过iptables,在现有基础上,就没有别的办法吗?
為何要編譯這兩個模塊?現有的iptables裡沒有嗎?
man iptables
connlimit
Allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
[!] --connlimit-above n
match if the number of existing tcp connections is (not) above n
--connlimit-mask bits
group hosts using mask
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
connmark
This module matches the netfilter mark field associated with a connection (which can be set using the CONNMARK target below).
--mark value[/mask]
Matches packets in connections with the given mark value (if a mask is specified, this is logically ANDed with the mark
before the comparison).
THIS MODULE IS DEPRECATED AND HAS BEEN REPLACED BY 瞁hashlimit瞁
--dstlimit avg
Maximum average match rate (packets per second unless followed by /sec /minute /hour /day postfixes).
--dstlimit-mode mode
The limiting hashmode. Is the specified limit per dstip, dstip-dstport tuple, srcip-dstip tuple, or per srcipdstip-dstport
tuple.
--dstlimit-name name
Name for /proc/net/ipt_dstlimit/* file entry
[--dstlimit-burst burst]
Number of packets to match in a burst. Default: 5
[--dstlimit-htable-size size]
Number of buckets in the hashtable
[--dstlimit-htable-max max]
Maximum number of entries in the hashtable
[--dstlimit-htable-gcinterval interval]
Interval between garbage collection runs of the hashtable (in miliseconds). Default is 1000 (1 second).
[--dstlimit-htable-expire time
After which time are idle entries expired from hashtable (in miliseconds)? Default is 10000 (10 seconds).
ecn
This allows you to match the ECN bits of the IPv4 and TCP header. ECN is the Explicit Congestion Notification mechanism as speci-
fied in RFC3168
--ecn-tcp-cwr
This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
--ecn-tcp-ece
This matches if the TCP ECN ECE (ECN Echo) bit is set.
--limit rate
Maximum average matching rate: specified as a number, with an optional ?second? ?minute? ?hour? or ?day?suffix; the
default is 3/hour.
--limit-burst number
Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not
reached, up to this number; the default is 5.
mac
--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from
an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.
mark
This module matches the netfilter mark field associated with a packet (which can be set using the MARK target below).
--mark value[/mask]
Matches packets with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mask before the
comparison).
mport
This module matches a set of source or destination ports. Up to 15 ports can be specified. It can only be used in conjunction with
-p tcp or -p udp.
--source-ports port[,port[,port...]]
Match if the source port is one of the given ports. The flag --sports is a convenient alias for this option.
--destination-ports port[,port[,port...]]
Match if the destination port is one of the given ports. The flag --dports is a convenient alias for this option.
--ports port[,port[,port...]]
Match if the both the source and destination ports are equal to each other and to one of the given ports.
[ 本帖最后由 枫影谁用了 于 2006-3-3 13:46 编辑 ] |
|