* Henrik Nordstrom <hno@squid-cache.org>:
> > So I thought iptables --limit could do the trick.
> > Before I reinvent the whell, I'd like to ask if someone already has
> > such a "connection rate limiter per IP" in place (and how it
> > looks).
>
> iptables -m limit should handle such case nicely, but you will need
> one rule per client IP address... Something like the following should
> work I think:
>
> -N SYN
> -A SYN -s ip.of.first.client -m limit --limit ... -j ACCEPT
> -A SYN -s ip.of.second.client -m limit --limit ... -j ACCEPT
> ....
> -A SYN -m limit ... -j LOG --log-prefix "SYNRATE "
> -A SYN -j DROP
> -A INPUT -p tcp --syn -J SYN
Yes, but this requires identifying the evil client.
-- Ralf Hildebrandt (Im Auftrag des Referat V a) Ralf.Hildebrandt@charite.de Charite Campus Mitte Tel. +49 (0)30-450 570-155 Referat V a - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 AIM: ralfpostfixReceived on Mon Jun 16 2003 - 02:45:07 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:22 MST