Iptables - Hashlimit Module: Unterschied zwischen den Versionen
Aus QBWiki
Zur Navigation springenZur Suche springen
Pascal (Diskussion | Beiträge) |
Pascal (Diskussion | Beiträge) |
||
| Zeile 15: | Zeile 15: | ||
} | } | ||
}} | }} | ||
| + | |||
Version vom 25. Februar 2019, 10:29 Uhr
-hashlimit-name (mandatory)
A descriptive name one to identify your rule. This will save a lot of times when it comes to troubleshooting. You can then watch your has /proc/net/ipt_hashlimit/<haslimit-name>
--hashlimit-upto:
The amount of packets to match per time interval, before applying the policy. Match if the rate is under the value.
<amount>/second, /minute, /hour, /day
--hashlimit-above:
The amount of packets to match per time interval, before applying the policy. Match if the rate is over the value.
<amount>/second, /minute, /hour, /day
Beispiel
Limit new SSH Connections
INPUT Policy = DROP
1 # A maximum of 2 packets can reach your server within 12 seconds (5/minute), the rest will be dropped.
2 # After the 12 seconds have elapsed, another packets will be let through.
3 iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m hashlimit --hashlimit-name SSH_LIMIT1 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/minute --hashlimit-burst 2 --hashlimit-htable-expire 30000 -j ACCEPT
4 iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j DROP
