使用IPTable限制每个源IP的ICMP

9

我错误地认为限制模块是每个源IP,但它似乎是基于所有请求的:

  577 36987 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 3/sec burst 5 
   46  3478 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 LOG flags 0 level 4 prefix `INET-PING-DROP:' 
   46  3478 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    ...
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 3/sec burst 5 
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 LOG flags 0 level 4 prefix `WEB-PING-DROP:' 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8

如何根据源IP地址对iptables / netfilter限制icmp?

linux  networking  iptables  router 
凯尔·勃兰特(Kyle Brandt)
source

Answers:

5

如果您仍想知道一个提示:

iptables -I INPUT -p icmp -m hashlimit --hashlimit-name icmp --hashlimit-mode srcip --hashlimit 3/second --hashlimit-burst 5 -j ACCEPT

假设INPUT中的最后一条规则为drop或默认策略为DROP。每个ip每秒限制为3 ping(突发5)。并非所有传入IP的总和都是-m limit。

尼可利
source
现在,这种接受真的是“元”!
Lightness Races in Orbit
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.