- 论坛徽章:
- 0
|
关于第二点,对于并发和连接数量,我计划为iptables增加connlimt模块.
connlimit, formerly known as iplimit, is another new addition to iptables, and still lacks support in the mainstream kernel. A patch for kernel connlimit support exists in the patch-o-matic set available at netfilter.org.
connlimit allows matches to be made based on the number of connections currently open from a particular host or group of hosts.
Examples:
# allow 2 telnet connections per client host,如果对付的是smtp,则把23改为25
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
也算勉强符合要求,因为smtp连接的时间比较短,如果在某一时间总共是那么多连进来,也算并发了...
至于第三我还没找到现成的方式... |
|
免费注册
发表于 2004-07-12 12:06
