Re: [squid-users] iptables to limit connections

From: Ralf Hildebrandt <Ralf.Hildebrandt@dont-contact.us>
Date: Mon, 16 Jun 2003 10:45:00 +0200

* Henrik Nordstrom <hno@squid-cache.org>:

> > So I thought iptables --limit could do the trick.
> > Before I reinvent the whell, I'd like to ask if someone already has
> > such a "connection rate limiter per IP" in place (and how it
> > looks).
>
> iptables -m limit should handle such case nicely, but you will need
> one rule per client IP address... Something like the following should
> work I think:
>
> -N SYN
> -A SYN -s ip.of.first.client -m limit --limit ... -j ACCEPT
> -A SYN -s ip.of.second.client -m limit --limit ... -j ACCEPT
> ....
> -A SYN -m limit ... -j LOG --log-prefix "SYNRATE "
> -A SYN -j DROP
> -A INPUT -p tcp --syn -J SYN

Yes, but this requires identifying the evil client.

-- 
Ralf Hildebrandt (Im Auftrag des Referat V a)   Ralf.Hildebrandt@charite.de
Charite Campus Mitte                            Tel.  +49 (0)30-450 570-155
Referat V a - Kommunikationsnetze -             Fax.  +49 (0)30-450 570-916
AIM: ralfpostfix
Received on Mon Jun 16 2003 - 02:45:07 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:22 MST