加入收藏 | 设为首页 | 会员中心 | 我要投稿 李大同 (https://www.lidatong.com.cn/)- 科技、建站、经验、云计算、5G、大数据,站长网!
当前位置: 首页 > 综合聚焦 > 服务器 > Linux > 正文

linux – 如何使用iptables或tc限制每个客户端的数据包.

发布时间:2020-12-13 17:03:11 所属栏目:Linux 来源:网络整理
导读:我有一些问题网络客户端发送数据太快. 我想减慢它们,使用iptables,或者可能是tc. 我见过iptables解决方案,如: sudo iptables -A INPUT -m state –state RELATED,ESTABLISHED -m limit –limit 50 / second –limit-burst 50 -j ACCEPT 但我认为限制适用于
我有一些问题网络客户端发送数据太快.

我想减慢它们,使用iptables,或者可能是tc.

我见过iptables解决方案,如:

sudo iptables -A INPUT -m state –state RELATED,ESTABLISHED -m limit –limit 50 / second –limit-burst 50 -j ACCEPT

但我认为限制适用于符合规则的所有内容,而不是每个客户地址.

有没有办法使这个规则限制每个客户端地址的数据包?

解决方法

你可以用一个简单的方法解决这个问题,尝试使用最近的iptables模块,最近跟踪源地址: 
iptables -m recent -h
recent match options:
[!] --set                       Add source address to list,always matches.
[!] --rcheck                    Match if source address in list.
[!] --update                    Match if source address in list,also update last-seen time.
[!] --remove                    Match if source address in list,also removes that address from list.
    --seconds seconds           For check and update commands above.
                                Specifies that the match will only occur if source address last seen within
                                the last 'seconds' seconds.
    --reap                      Purge entries older then 'seconds'.
                                Can only be used in conjunction with the seconds option.
    --hitcount hits             For check and update commands above.
                                Specifies that the match will only occur if source address seen hits times.
                                May be used in conjunction with the seconds option.
    --rttl                      For check and update commands above.
                                Specifies that the match will only occur if the source address and the TTL
                                match between this packet and the one which was set.
                                Useful if you have problems with people spoofing their source address in order
                                to DoS you via this module.
    --name name                 Name of the recent list to be used.  DEFAULT used if none given.
    --rsource                   Match/Save the source address of each packet in the recent list table (default).
    --rdest                     Match/Save the destination address of each packet in the recent list table.
    --mask netmask              Netmask that will be applied to this recent list.

阻止ssh暴力的示例:

iptables -A INPUT -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --set
iptables -A INPUT -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds  30 --hitcount 2 -j DROP

(编辑:李大同)

【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
    相关内容
      推荐文章
        站长推荐
        热点阅读

          【免责声明】本站内容转载自互联网,其发布内容言论不代表本站观点,如果其链接、内容的侵犯您的权益,烦请提交相关链接至邮箱bqsm@foxmail.com我们将及时予以处理。

          建议您使用1920×1080分辨率、谷歌浏览器Google Chrome、Microsoft Edge以获得本站的最佳浏览效果

          Copygight © 2008-2022 https://www.lidatong.com.cn/ All Rights Reserved. 李大同