On Thu, Jan 06, 2011 at 01:58:13PM +0100, frostschutz wrote: > Can you post an (excerpt) of the rules you're using?
Noticed this was posted earlier. Note: This is _untested_, it's been a while since I used iptables. $IPTABLES -N QUERYLIMIT $IPTABLES -A QUERYLIMIT -m limit --limit 20/s -j ACCEPT $IPTABLES -A QUERYLIMIT -j DROP $IPTABLES -N QUERY $IPTABLES -A QUERY -p udp -m udp -m string --algo bm --hex-string '|ffffffff54|' -j QUERYLIMIT $IPTABLES -A QUERY -p udp -m udp -m string --algo bm --hex-string '|ffffffff55|' -j QUERYLIMIT $IPTABLES -A QUERY -p udp -m udp -m string --algo bm --hex-string '|ffffffff56|' -j QUERYLIMIT $IPTABLES -A QUERY -p udp -m udp -m string --algo bm --hex-string '|ffffffff57|' -j QUERYLIMIT $IPTABLES -A INPUT -p udp --dport 20000:30000 -j QUERY Something like this should be sufficient to match and limit an entire port range. Packets outside the port range traverse 1 rule, Packets inside the port range traverse 5 rules, Packets that actually match traverse 3-6 rules and fall under a global 20 per second limit. (maybe limit per client if it's DoS but not DDoS) Depending on which of these 54 55 56 57 is the most frequent occurence, they could be reordered too. If there are lots of packets that don't start with ffffffff, that could be matched first to further reduce the number of rules that packets that won't match have to traverse. However you really should use port ranges that have affected traffic exclusively, no point in forcing other stuff through all that. Just throwing ideas around frostschutz _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux