iptables+tc实现isp级别每ip限速并限制会话数

最新推荐文章于 2024-05-06 15:27:33 发布
最新推荐文章于 2024-05-06 15:27:33 发布
阅读量3.3k 收藏
点赞数
分类专栏: Linux iptables
脚本1:
限制会话数
#!/bin/sh
INET=192.168.0.
IPS=1
IPE=253
IDEV=eth1
ODEV=eth0
COUNTER=$IPS
while [ $COUNTER -lt $IPE ]
do
iptables -A FORWARD -i $IDEV -s $INET$COUNTER -m iplimit --iplimit-above 2 -j REJECT
COUNTER=` expr $COUNTER + 1 `
done
限制穿透本机FORWARD链的192.168.0.0/24的每个IP并发连接数不超过2个,超过的被拒绝


脚本2:
针对每个ip限制带宽
#!/bin/bash
tc qdisc del dev eth0 root    2>/dev/null
tc qdisc del dev eth0 ingress 2>/dev/null
tc qdisc del dev eth1 root    2>/dev/null
tc qdisc del dev eth1 ingress 2>/dev/null
DOWNLOAD=128Kbit
UPLOAD=128Kbit
INET=192.168.0.
IPS=1
IPE=253
IDEV=eth1
ODEV=eth0
tc qdisc add dev eth1 root handle 10: cbq bandwidth 100Mbit avpkt 1000
tc qdisc add dev eth0 root handle 20: cbq bandwidth 100Mbit avpkt 1000
tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 100Mbit rate 100Mbit allot 1514 weight 1Mbit prio 8 maxburst 20 avpkt 1000
tc class add dev eth0 parent 20:0 classid 20:1 cbq bandwidth 100Mbit rate 100Mbit allot 1514 weight 1024Kbit prio 8 maxburst 20 avpkt 1000
COUNTER=$IPS
while [ $COUNTER -le $IPE ]
do
tc class add dev $IDEV parent 10:1 classid 10:1$COUNTER cbq bandwidth 100Mbit rate $DOWNLOAD allot 1514 weight 20Kbit prio 5 maxburst 20 avpkt 1000 bounded
tc qdisc add dev $IDEV parent 10:1$COUNTER sfq quantum 1514b perturb 15
tc filter add dev $IDEV parent 10:0 protocol ip prio 100 u32 match ip dst $INET$COUNTER flowid 10:1$COUNTER
COUNTER=` expr $COUNTER + 1 `
done
COUNTER=$IPS
while [ $COUNTER -le $IPE ]
do
tc class add dev $ODEV parent 20:1 classid 20:1$COUNTER cbq bandwidth 1Mbit rate $UPLOAD allot 1514 weight 4Kbit prio 5 maxburst 20 avpkt 1000 bounded
tc qdisc add dev $ODEV parent 20:1$COUNTER sfq quantum 1514b perturb 15
tc filter add dev $ODEV parent 20:0 protocol ip prio 100 handle $COUNTER fw classid 20:1$COUNTER
COUNTER=` expr $COUNTER + 1 `
done
COUNTER=$IPS
while [ $COUNTER -lt $IPE ]
do
iptables -t mangle -A PREROUTING -i $IDEV -s $INET$COUNTER -j MARK --set-mark $COUNTER
COUNTER=` expr $COUNTER + 1 `
done
---------------------------------------
总体思想很简单,为每个IP 打标,然后归入各自的tc 限速规则中去。 
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em>#!/bin/sh</em></span>
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em># xiaoh www.linuxbyte.org</em></span>
 
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em>#  定义进出设备(eth0 内网,eth1外网)</em></span>
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">IDEV</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"eth0"</span>
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">ODEV</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"eth1"</span>
 
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em>#  定义总的上下带宽</em></span>
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">UP</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"50mbit"</span>
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">DOWN</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"50mbit"</span>
 
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em>#  定义每个受限制的IP上下带宽</em></span>
#rate 起始带宽
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">UPLOAD</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"4mbit"</span>
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">DOWNLOAD</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"5mbit"</span>
#ceil 最大带宽
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">MUPLOAD</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"5mbit"</span>
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">MDOWNLOAD</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"10mbit"</span>
 
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em>#内网IP段</em></span>
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">INET</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"192.168.0."</span>
 
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em># 受限IP范围,IPS 起始IP,IPE 结束IP。</em></span>
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">IPS</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"1"</span> 
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">IPE</span>=<span style="word-wrap: break-word; color: rgb(255, 0, 0);">"114"</span>
 
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em># 清除网卡原有队列规则</em></span>
tc qdisc del dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$ODEV</span> root <span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; font-weight: bold;">>/</span>dev<span style="word-wrap: break-word; font-weight: bold;">/</span>null
tc qdisc del dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$IDEV</span> root <span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; font-weight: bold;">>/</span>dev<span style="word-wrap: break-word; font-weight: bold;">/</span>null
 
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em># 定义最顶层(根)队列规则,并指定 default 类别编号</em></span>
tc qdisc add dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$ODEV</span> root handle <span style="word-wrap: break-word;">10</span>: htb default <span style="word-wrap: break-word;">256</span>
tc qdisc add dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$IDEV</span> root handle <span style="word-wrap: break-word;">10</span>: htb default <span style="word-wrap: break-word;">256</span>
 
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em># 定义第一层的 10:1 类别 (上行/下行 总带宽)</em></span>
tc class add dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$ODEV</span> parent <span style="word-wrap: break-word;">10</span>: classid <span style="word-wrap: break-word;">10</span>:<span style="word-wrap: break-word;">1</span> htb rate <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$UP</span> ceil <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$UP</span>
tc class add dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$IDEV</span> parent <span style="word-wrap: break-word;">10</span>: classid <span style="word-wrap: break-word;">10</span>:<span style="word-wrap: break-word;">1</span> htb rate <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$DOWN</span> ceil <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$DOWN</span>
 
<span style="word-wrap: break-word; color: rgb(102, 102, 102);"><em>#开始iptables 打标和设置具体规则</em></span>
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">i</span>=<span style="word-wrap: break-word; color: rgb(0, 120, 0);">$IPS</span>;
<span style="word-wrap: break-word; font-weight: bold;">while</span> <span style="word-wrap: break-word; color: rgb(122, 8, 116);"><strong>[</strong></span> <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-le</span> <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$IPE</span> <span style="word-wrap: break-word; color: rgb(122, 8, 116);"><strong>]</strong></span>
<span style="word-wrap: break-word; font-weight: bold;">do</span>
tc class add dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$ODEV</span> parent <span style="word-wrap: break-word;">10</span>:<span style="word-wrap: break-word;">1</span> classid <span style="word-wrap: break-word;">10</span>:<span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> htb rate <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$UPLOAD</span> ceil <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$MUPLOAD</span> prio <span style="word-wrap: break-word;">1</span>
tc qdisc add dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$ODEV</span> parent <span style="word-wrap: break-word;">10</span>:<span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> handle <span style="word-wrap: break-word;">100</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span>: pfifo
tc filter add dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$ODEV</span> parent <span style="word-wrap: break-word;">10</span>: protocol ip prio <span style="word-wrap: break-word;">100</span> handle <span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> fw classid <span style="word-wrap: break-word;">10</span>:<span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span>
tc class add dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$IDEV</span> parent <span style="word-wrap: break-word;">10</span>:<span style="word-wrap: break-word;">1</span> classid <span style="word-wrap: break-word;">10</span>:<span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> htb rate <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$DOWNLOAD</span> ceil <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$MDOWNLOAD</span> prio <span style="word-wrap: break-word;">1</span>
tc qdisc add dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$IDEV</span> parent <span style="word-wrap: break-word;">10</span>:<span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> handle <span style="word-wrap: break-word;">100</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span>: pfifo
tc filter add dev <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$IDEV</span> parent <span style="word-wrap: break-word;">10</span>: protocol ip prio <span style="word-wrap: break-word;">100</span> handle <span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> fw classid <span style="word-wrap: break-word;">10</span>:<span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span>
iptables <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-t</span> mangle <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-A</span> PREROUTING <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-s</span> <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$INET</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-j</span> MARK <span style="word-wrap: break-word; color: rgb(102, 0, 51);">--set-mark</span> <span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span>
iptables <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-t</span> mangle <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-A</span> PREROUTING <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-s</span> <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$INET</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-j</span> RETURN
iptables <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-t</span> mangle <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-A</span> POSTROUTING <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-d</span> <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$INET</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-j</span> MARK <span style="word-wrap: break-word; color: rgb(102, 0, 51);">--set-mark</span> <span style="word-wrap: break-word;">2</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span>
iptables <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-t</span> mangle <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-A</span> POSTROUTING <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-d</span> <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$INET</span><span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-j</span> RETURN
<span style="word-wrap: break-word; color: rgb(0, 120, 0);">i</span>=<span style="word-wrap: break-word; font-weight: bold;">`</span><span style="word-wrap: break-word; color: rgb(194, 12, 185);"><strong>expr</strong></span> <span style="word-wrap: break-word; color: rgb(0, 120, 0);">$i</span> + <span style="word-wrap: break-word;">1</span><span style="word-wrap: break-word; font-weight: bold;">`</span>
<span style="word-wrap: break-word; font-weight: bold;">done</span>
-----------------

之前的Iptables+tc 网吧每IP 限速脚本一文中有一个问题需要补充,如果同时使用squid 做透明代理会使该脚本失效。
做透明代理时有一条iptables规则

iptables <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-A</span> PREROUTING <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-s</span> 192.168.0.0<span style="word-wrap: break-word; font-weight: bold;">/</span><span style="word-wrap: break-word;">24</span> <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-i</span> eth0 <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-p</span> tcp <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-m</span> tcp <span style="word-wrap: break-word; color: rgb(102, 0, 51);">--dport</span> <span style="word-wrap: break-word;">80</span> <span style="word-wrap: break-word; color: rgb(102, 0, 51);">-j</span> REDIRECT <span style="word-wrap: break-word; color: rgb(102, 0, 51);">--to-ports</span> <span style="word-wrap: break-word;">3128</span>

这一规则把所有内网80端口的请求都转发到了网关,如此一来所有向外网的普通http 请求者都成了网关(192.168.0.254),而网关是不做限速的,所以所有http下载都不被限速了。

所以为了能现在http下载,我们要使用squid 的限速功能,配置命令如下:

acl LIMIT_IP src 192.168.0.0<span style="word-wrap: break-word; font-weight: bold;">/</span><span style="word-wrap: break-word;">25</span> 
delay_pools <span style="word-wrap: break-word;">1</span>
delay_class <span style="word-wrap: break-word;">1</span> <span style="word-wrap: break-word;">2</span>
delay_access <span style="word-wrap: break-word;">1</span> allow LIMIT_IP
delay_parameters <span style="word-wrap: break-word;">1</span> -<span style="word-wrap: break-word;">1</span><span style="word-wrap: break-word; font-weight: bold;">/</span>-<span style="word-wrap: break-word;">1</span> <span style="word-wrap: break-word;">500000</span><span style="word-wrap: break-word; font-weight: bold;">/</span><span style="word-wrap: break-word;">500000</span>

squid 的限速控制不是很精确限速500000 bytes/sec 的浮动在4xx/KB 到8XX/KB 之间 -__-!





//

2,iptables脚本二
 

复制代码代码示例:

#!/bin/sh
#---------
#
# File: SIG-antiDDoS.sh
#
# Configuration.
#---------
  
# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"
  
# Logging options.
#---------
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"

# Defaults for rate limiting
#---------
RLIMIT="-m limit --limit 3/s --limit-burst 8"

# Unprivileged ports.
#---------
PHIGH="1024:65535"
PSSH="1000:1023"
  
# Load required kernel modules
#---------
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
  
# Mitigate ARP spoofing/poisoning and similar attacks.
#---------
# Hardcode static ARP cache entries here
# $ARP -s IP-ADDRESS MAC-ADDRESS
  
# Kernel configuration.
#---------
  
# Disable IP forwarding.
# On => Off = (reset)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward
  
# Enable IP spoofing protection
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
  
# Protect against SYN flood attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  
# Ignore all incoming ICMP echo requests
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  
# Ignore ICMP echo requests to broadcast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  
# Log packets with impossible addresses.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
  
# Don't log invalid responses to broadcast
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  
# Don't accept or send ICMP redirects.
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
  
# Don't accept source routed packets.
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
  
# Disable multicast routing
for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
  
# Disable proxy_arp.
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
  
# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# Helps against MITM attacks.
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
  
# Disable bootp_relay
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
  
# Default policies.
#---------
  
# Drop everything by default.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
  
# Set the nat/mangle/raw tables' chains to ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
  
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
  
# Cleanup.
#---------
  
# Delete all
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
  
# Delete all
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
  
# Zero all packets and counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
  
# Completely disable IPv6.
#---------
  
# Block all IPv6 traffic
# If the ip6tables command is available, try to block all IPv6 traffic.
if test -x $IP6TABLES; then
# Set the default policies
# drop everything
$IP6TABLES -P INPUT DROP 2>/dev/null
$IP6TABLES -P FORWARD DROP 2>/dev/null
$IP6TABLES -P OUTPUT DROP 2>/dev/null
  
# The mangle table can pass everything
$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
  
# Delete all rules.
$IP6TABLES -F 2>/dev/null
$IP6TABLES -t mangle -F 2>/dev/null
  
# Delete all chains.
$IP6TABLES -X 2>/dev/null
$IP6TABLES -t mangle -X 2>/dev/null
  
# Zero all packets and counters.
$IP6TABLES -Z 2>/dev/null
$IP6TABLES -t mangle -Z 2>/dev/null
fi
  
# Custom user-defined chains.
#---------
  
# LOG packets, then ACCEPT.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
$IPTABLES -A ACCEPTLOG -j ACCEPT
  
# LOG packets, then DROP.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
$IPTABLES -A DROPLOG -j DROP
  
# LOG packets, then REJECT.
# TCP packets are rejected with a TCP reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT
  
# Only allows RELATED ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
$IPTABLES -N RELATED_ICMP
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A RELATED_ICMP -j DROPLOG
  
# Make It Even Harder To Multi-PING
$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
$IPTABLES  -A INPUT -p icmp -j DROP
$IPTABLES  -A OUTPUT -p icmp -j ACCEPT
  
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
#---------
  
# TODO: This section needs a lot of testing!
  
# First, drop all fragmented ICMP packets (almost always malicious).
$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG
  
# Allow all ESTABLISHED ICMP traffic.
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
  
# Allow some parts of the RELATED ICMP traffic, block the rest.
$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
  
# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
  
# Allow outgoing ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
  
# Drop any other ICMP traffic.
$IPTABLES -A INPUT -p icmp -j DROPLOG
$IPTABLES -A OUTPUT -p icmp -j DROPLOG
$IPTABLES -A FORWARD -p icmp -j DROPLOG
  
# Selectively allow certain special types of traffic.
#---------
  
# Allow loopback interface to do anything.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
  
# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
# Allow outgoing connections EXCEPT invalid
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  
# Miscellaneous.
#---------
  
# We don't care about Milkosoft, Drop SMB/CIFS/etc..
$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
  
# Explicitly drop invalid incoming traffic
$IPTABLES -A INPUT -m state --state INVALID -j DROP
  
# Drop invalid outgoing traffic, too.
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
  
# If we would use NAT, INVALID packets would pass - BLOCK them anyways
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
  
# PORT Scanners (stealth also)
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
  
# TODO: Some more anti-spoofing rules? For example:
# $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -N SYN_FLOOD
$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
$IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPTABLES -A SYN_FLOOD -j DROP
  
# TODO: Block known-bad IPs
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG
  
# Drop any traffic from IANA-reserved IPs.
#---------
  
$IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
$IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
$IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
$IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP
  
# Selectively allow certain outbound connections, block the rest.
#---------
  
# Allow outgoing DNS requests. Few things will work without this.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
  
# Allow outgoing HTTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
  
# Allow outgoing HTTPS requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
  
# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT
  
# Allow outgoing "submission" (RFC 2476) requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT
  
# Allow outgoing POP3S requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
  
# Allow outgoing SSH requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
  
# Allow outgoing FTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
  
# Allow outgoing NNTP requests. Unencrypted, use with care.
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
  
# Allow outgoing NTP requests. Unencrypted, use with care.
# $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
  
# Allow outgoing IRC requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_irc kernel module.
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
  
# Allow outgoing requests to various proxies. Unencrypted, use with care.
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT
  
# Allow outgoing DHCP requests. Unencrypted, use with care.
# TODO: This is completely untested, I have no idea whether it works!
# TODO: I think this can be tightened a bit more.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --sport 67:68 --dport 67:68 -j ACCEPT
  
# Allow outgoing CVS requests. Unencrypted, use with care.
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT
  
# Allow outgoing MySQL requests. Unencrypted, use with care.
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT
  
# Allow outgoing SVN requests. Unencrypted, use with care.
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT
  
# Allow outgoing PLESK requests. Unencrypted, use with care.
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8443 -j ACCEPT
  
# Allow outgoing Tor requests.
# Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT
  
# Allow outgoing OpenVPN requests.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT
  
# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
  
# Selectively allow certain inbound connections, block the rest.
#---------
  
# Allow incoming DNS requests.
$IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
  
# Allow incoming HTTP requests.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
  
# Allow incoming HTTPS requests.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
  
# Allow incoming POP3 requests.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
  
# Allow incoming IMAP4 requests.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
  
# Allow incoming POP3S requests.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
  
# Allow incoming SMTP requests.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
  
# Allow incoming SSH requests.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
  
# Allow incoming FTP requests.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
  
# Allow incoming NNTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
  
# Allow incoming MySQL requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT
  
# Allow incoming PLESK requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 8843 -j ACCEPT
  
# Allow incoming BitTorrent requests.
# TODO: Are these already handled by ACCEPTing established/related traffic?
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT
  
# Allow incoming nc requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT
  
# Explicitly log and reject everything else.
#---------
# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPTABLES -A INPUT -j REJECTLOG
$IPTABLES -A OUTPUT -j REJECTLOG
$IPTABLES -A FORWARD -j REJECTLOG
  
#---------
# Testing the firewall.
#---------
  
# You should check/test that the firewall really works, using
# iptables -vnL, nmap, ping, telnet, ...
  
# Exit gracefully.
#---------
exit 0


eydwyz
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
linux每ip限速,linux iptables限速限制IP连接
weixin_32284931的博客
05-07 459
第一步:建立adsl连接,在系统设置——网络设置处有。在图形界面下很容易搞定。第二步:打开IP转发和伪装(也就是路由与NAT)1、作为根用户打开/etc/sysconfig/network文件,在文件增加以下一行: GATEWAYDEV=PPP0 这句话的作用是设定默认路由,有时没有也可2、打开IP转发功能:打开/etc/sysctl.conf文件,修改net.ipv4.ip_forward=0一...
华为secpath系列产品最新特性之“nat的tcp会话限制
net527的专栏
04-30 849
secpath系列产品最新特性之“nat的tcp会话限制”secpath系列产品最新特性之“nat的tcp会话限制”在局域网内的某台PC感染病毒,它会发起大量的连接,迅速消耗路由器资源,导致路由器效率下降,影响其他用户使用。NAT限制最大连接可以避免出现这种情况。通过连接限制功能,可以设置某种特征的连接上限,从而可以实现NAT限制最大连接
H3C secpath nat的tcp会话限制设置
weixin_34167819的博客
01-04 491
配置如下:# 创建ACL并配置规则,来匹配源IP地址为192.168.1.2/24的据。 <Quidway> system-view [Quidway] acl number 2000 [Quidway-acl-basic-2000] rule 0 permit source 192.168.1.2 0 [Quidway-acl-basic-2000] ...
Linux下工具tc详细讲解及限制IP和端口实例
最新发布
LKHzzzzz的博客
05-06 993
是Linux内核中提供的一个用于控制和管理网络流量的强大工具,它允许用户实现QoS(Quality of Service)策略,包括带宽限制、优先级控制、延迟保证等。TC基于内核的队列 discipline (qdisc) 和流量类别(class) 体系结构,允许对进入或离开网络接口的据流进行复杂的整形和过滤。
[运维|系统] 使用tc命令限制网速
梦醒贰零壹柒
11-02 1551
使用tc命令可以限制网络接口的带宽,从而实现限制网速的效果。首先,确定要限制网速的网络接口,例如eth0。
使用iptablestc来进行限速
sjx1989的专栏
12-18 985
假设eth0位是服务器的外网网络接口。 首先在eth0的qdiscA,qdiscA控制通过本机到外网的速度,因此是用来控制服务器流出速度的 #tc qdisc add dev eth1 root handle 1:htb default 1 tc 队列 添加 设置接口 root为最上层 句柄(做标记用): 标记类型 默认使用1的class 解释如下:无论是队列,还是class和filter
Linux使用iptables限制多个IP访问你的服务器
09-15
iptables是一个管理netfilter的工具。这篇文章主要介绍了Linux使用iptables限制多个IP访问你的服务器的相关知识,需要的朋友可以参考下
iptables+tc流量控制完整脚本
05-27
Linux Advanced Routing & Traffic Control HOWTO 中提到的Qos完整示例中的脚本。在书中提到的那个网站已经挂了,所以重新上传一个。把里面的内容稍微改改就能拿来用了。。挺方便的
Snort+Iptables+Guardian构建主动防火墙.zip
04-16
Snort+Iptables+Guardian构建主动防火墙.zip
TC+IPTables实现下载和上传带宽限制脚本
03-24
在linux 下不着用TC+IPTables实现下载和上传带宽限制脚本
Linux TC 流量限速
王以山的专栏
01-07 8573
# !/bin/sh touch  /var/lock/subsys/local echo  1  > /proc/sys/net/ipv4/ip_forward route add default  gw  10.0.0.0  (这是加入电信网关,如果你已设了不用这条) DOWNLOAD=640Kbit    (640/8 =80K ,我这里限制下载最高速度只能80K) UPL
linux 限制ip速度,linux – iptables中的源IP速率限制:hashlimit vs recent
weixin_35782323的博客
05-04 236
我想在iptables中对每个IP执行速率限制.例如,将主机可以建立新SSH连接的速率限制为每分钟5次.据我所知,有两种方法可以做到这一点:使用hashlimit模块iptables -A INPUT -p tcp --dport 22 -m state --state NEW \-m hashlimit --hashlimit-name SSH --hashlimit-above 5/min ...
TC命令流量控制测试(针对具体IP地址和IP协议)
Stephen___Qin的博客
03-14 306
   这里测试系统为Linux操作系统,通过简单的TC命令来实现对带宽的控制. 1对具体IP地址的流量控制 这里采用iperf来进行带宽的测试,首先在服务器和客户端都安装上iperf软件,通过该软件下的命令来进行通讯和测试. 1.1测试正常情况下的带宽 1)服务器设置端口: [root@docker117 ~]# iperf -s -p 7000 #设置端口为7000,端口号不要设置...
linux下使用命令TC进行网络限流 —— 筑梦之路
筑梦之路
12-22 1726
创建 filter 过滤 虽然创建了 class 分类,但是并没有将任何的 IP、Port 绑定到 class 上,此时并不会有控制作用。还需要创建 filter 将指定的 IP、Port 绑定到 class 上,才能使流量控制 class 生效于资源。创建 class 分类 class 实际上,就是划分流量策略分类。创建 qdisc 队列 上面提到 Linux 是通过包的排队进行流量的控制,那么首先得有一个队列。限速本机对指定IP访问,进入的流量被限制在 6 MBps 以下,而出去的流量不被限制
iptables 端口转发
热门推荐
zhouguoqionghai的博客
08-22 7万+
ssh 也能实现本机的端口转发,只不过原来的 1 条连接会变成 3 条。详情见前一篇 ssh 端口转发博文。而 iptables 的端口转发则是在内核进行。 1、将本地的端口转发到本机端口 将本机的 7777 端口转发到 6666 端口。 iptables -t nat -A PREROUTING -p tcp --dport 7777 -j REDIRECT --to-port 6666 ...
java做单用户的多重并发会话限制
weixin_30675247的博客
03-30 530
判定条件很简单,就是在同一时刻,同一帐号仅在一个终端上可正常操作。 我这里用简单的key,value进行判定,将用户存储在map里面,新登录用户登陆进系统后,判断map里是否存在当前用户,若存在就删除,将新登录用户的session信息存入map里,这样前面登录用户就会退出系统。 继承HttpSessionListener,HttpSessionAttributeListener类 1、先需要...
非常有用的TC限速例子
王以山的专栏
01-07 4936
<br />#!/bin/bash<br />DEV="tun0"<br />UPLINK=300<br />#下行downlink 3200 k 大概一半左右,以便能够得到更多的并发连接<br />DOWNLINK=2048<br />VIP1="192.168.1.159/32"<br />VIP2="192.168.1.163/32"<br />##两个vip用户<br />echo "==================== Packetfilter and Traffic Control 流量控制
tc网络流控详解及常用队列
Van_male的博客
08-09 5585
tc网络流控详解及常用队列TC是什么?tc的组成有哪些?队列、类别、过滤器可分类别队列简单的无类别队列(pfifo_fast)简单的无类队列(TBF)无类别随机公平队列(SFQ)可分队列中的据流向PRIO队列著名的CBQ队列常用简单的过滤命令HTB(Hierarchical Token Bucket, 分层的令牌桶)一个复杂的实例IMQ(Intermediate queueing device,...
linux iptables 限制每个ip每个端口最多同时建立20个TCP连接
08-13
### 回答1: 要限制每个 IP每个端口的 TCP 连接,可以使用 Linux iptables 工具。 首先,确保 iptables 已经安装。然后,运行以下命令: ``` iptables -A INPUT -p tcp --syn --dport <端口号> -m connlimit --connlimit-above 20 -j REJECT ``` 其中,<端口号> 是你想要限制连接的端口号。例如,如果你想限制对端口 80 的连接,命令如下: ``` iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT ``` 这条命令会在每个 IP 对端口 80 的连接超过 20 时,拒绝新的连接请求。 注意:这条命令只会在内存中生效,如果想永久生效,需要将它保存到配置文件中,例如: ``` service iptables save ``` 或者 ``` /sbin/iptables-save > /etc/sysconfig/iptables ``` 保存之后,重启 iptables 服务即可使规则永久生效。 ### 回答2: 要实现Linux iptables限制每个IP每个端口最多同时建立20个TCP连接,可以使用iptables限制连接模块connlimit。 首先,我们需要先加载connlimit模块。可以在终端中输入以下命令: ```shell sudo modprobe ipt_connlimit ``` 然后,我们可以使用以下规则来限制每个IP每个端口最多同时建立20个TCP连接。假设要限制IP对80端口: ```shell sudo iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j REJECT ``` 以上规则的意思是,当某个IP请求连接80端口时,如果已有20个以上的连接建立,则将其连接请求拒绝。 若想对其他端口进行限制,只需将上述规则的端口号改为相应的端口即可。 为了确保规则在系统启动时自动加载,可以将以上规则添加到防火墙规则配置文件(一般是/etc/iptables/rules.v4或/etc/sysconfig/iptables)中。添加规则后,可以使用以下命令使规则生效: ```shell sudo iptables-restore < /path/to/iptables-rules-file ``` 这样,每个IP对指定端口的TCP连接将被限制为最多20个。 为了进一步保护系统和网络安全,建议搭配其他安全措施,如使用fail2ban来防范恶意攻击,或添加其他防火墙规则进行安全加固。 ### 回答3: 要实现每个IP每个端口最多同时建立20个TCP连接的限制,可以使用Linux中的iptables工具,具体步骤如下: 1. 首先,需要打开终端以管理员权限运行以下命令,以确保iptables工具已安装并可用: sudo apt-get install iptables 2. 使用以下命令创建一个新的iptables链,用于限制TCP连接: sudo iptables -N CONNECTION_LIMIT 3. 在该新链中添加规则,以限制每个IP每个端口的最大TCP连接为20: sudo iptables -A CONNECTION_LIMIT -p tcp --syn --dport [端口号] -m connlimit --connlimit-above 20 --connlimit-mask 32 -j REJECT --reject-with tcp-reset 注意:将[端口号]替换为要限制连接的实际端口号。 4. 将上述创建的新链连接到INPUT链,确保流量通过新链进行处理: sudo iptables -I INPUT -p tcp --syn --dport [端口号] -j CONNECTION_LIMIT 5. 保存iptables规则以便重启后仍然生效: sudo iptables-save | sudo tee /etc/iptables/rules.v4 这样,每个IP每个端口的最大TCP连接就被限制为20。请记住,这些规则将仅在防火墙处于活动状态时生效。如果你希望永久生效,可以将上述命令添加到系统启动脚本中。 注意:这个方法可以限制并发连接的量,但无法防止一个攻击者使用多个IP地址同时建立连接。如需更加严格的限制,可能需要额外的防火墙解决方案。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值