* Henrik Nordstrom <[EMAIL PROTECTED]>: > > So I thought iptables --limit could do the trick. > > Before I reinvent the whell, I'd like to ask if someone already has > > such a "connection rate limiter per IP" in place (and how it > > looks). > > iptables -m limit should handle such case nicely, but you will need > one rule per client IP address... Something like the following should > work I think: > > -N SYN > -A SYN -s ip.of.first.client -m limit --limit ... -j ACCEPT > -A SYN -s ip.of.second.client -m limit --limit ... -j ACCEPT > .... > -A SYN -m limit ... -j LOG --log-prefix "SYNRATE " > -A SYN -j DROP > -A INPUT -p tcp --syn -J SYN
Yes, but this requires identifying the evil client. -- Ralf Hildebrandt (Im Auftrag des Referat V a) [EMAIL PROTECTED] Charite Campus Mitte Tel. +49 (0)30-450 570-155 Referat V a - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 AIM: ralfpostfix
