对于 iptables,我在 ufw 中有以下规则:
-A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set
-A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 120 -j ufw-user-limit
-A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept
-A ufw-user-input -p udp --dport 80 -m state --state NEW -m recent --set
-A ufw-user-input -p udp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 120 -j ufw-user-limit
-A ufw-user-input -p udp --dport 80 -j ufw-user-limit-accept
如果 60 秒内有 120 个连接,则会拒绝来自某个 IP 的连接。
默认情况下,这似乎会阻止进一步的连接 60 秒。我能否定义阻止的持续时间?例如,我希望上述阻止持续 10 分钟。
答案1
规则的相关部分是“-update --seconds 60 --hitcount 120”,以下是您需要了解的内容:
--seconds seconds
This option must be used in conjunction with one of --rcheck or --update. When used,
this will narrow the match to only happen when the address is in the list and was
seen within the last given number of seconds.
--hitcount hits
This option must be used in conjunction with one of --rcheck or --update. When used,
this will narrow the match to only happen when the address is in the list and
packets had been received greater than or equal to the given value. This option may
be used along with --seconds to create an even narrower match requiring a certain
number of hits within a specific time frame. The maximum value for the hitcount
parameter is given by the "ip_pkt_list_tot" parameter of the xt_recent kernel
module. Exceeding this value on the command line will cause the rule to be rejected.
答案2
我一直在为此苦苦挣扎。
我以为它已经解决了,像这样:(你可以转FORWARD
置INPUT
)
iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --set
iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount=10 -j REJECT --reject-with icmp-port-unreachable
上述方法有效,通过在 60 秒内限制为 10 个。我认为它有效,因为我在“阻止”期间停止了发送。但是,如果在阻止期内继续发送,它将永远被阻止。
当我反转顺序(以便在语句--set
之后hitcount
)时,它会按预期工作:在“阻止期”结束后,允许新的数据包进入(直到它们达到命中数)。
iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount=10 -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --set