使用 iptables 设置阻止时间

Question 1

规则的相关部分是“-update --seconds 60 --hitcount 120”，以下是您需要了解的内容：

--seconds seconds
This option must be used in conjunction with one of --rcheck or --update. When used,
this will narrow the match to only happen when the  address is in the list and was
seen within the last given number of seconds.

--hitcount hits
This option must be used in conjunction with one of --rcheck or --update. When used,
this will narrow the match to only happen when the  address is in the list and
packets had been received greater than or equal to the given value. This option may
be used along with --seconds to create an even narrower match requiring a certain
number of hits within a specific time frame. The maximum value for the hitcount
parameter  is  given  by the "ip_pkt_list_tot" parameter of the xt_recent kernel
module. Exceeding this value on the command line will cause the rule to be rejected.

Answer

规则的相关部分是“-update --seconds 60 --hitcount 120”，以下是您需要了解的内容：

--seconds seconds
This option must be used in conjunction with one of --rcheck or --update. When used,
this will narrow the match to only happen when the  address is in the list and was
seen within the last given number of seconds.

--hitcount hits
This option must be used in conjunction with one of --rcheck or --update. When used,
this will narrow the match to only happen when the  address is in the list and
packets had been received greater than or equal to the given value. This option may
be used along with --seconds to create an even narrower match requiring a certain
number of hits within a specific time frame. The maximum value for the hitcount
parameter  is  given  by the "ip_pkt_list_tot" parameter of the xt_recent kernel
module. Exceeding this value on the command line will cause the rule to be rejected.

Question 2

我一直在为此苦苦挣扎。
我以为它已经解决了，像这样：（你可以转FORWARD置INPUT）

iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --set

iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount=10 -j REJECT --reject-with icmp-port-unreachable

上述方法有效，通过在 60 秒内限制为 10 个。我认为它有效，因为我在“阻止”期间停止了发送。但是，如果在阻止期内继续发送，它将永远被阻止。

当我反转顺序（以便在语句--set之后hitcount）时，它会按预期工作：在“阻止期”结束后，允许新的数据包进入（直到它们达到命中数）。

iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount=10 -j REJECT --reject-with icmp-port-unreachable

iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --set

Answer

我一直在为此苦苦挣扎。
我以为它已经解决了，像这样：（你可以转FORWARD置INPUT）

iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --set

iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount=10 -j REJECT --reject-with icmp-port-unreachable

上述方法有效，通过在 60 秒内限制为 10 个。我认为它有效，因为我在“阻止”期间停止了发送。但是，如果在阻止期内继续发送，它将永远被阻止。

当我反转顺序（以便在语句--set之后hitcount）时，它会按预期工作：在“阻止期”结束后，允许新的数据包进入（直到它们达到命中数）。

iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount=10 -j REJECT --reject-with icmp-port-unreachable

iptables -A FORWARD -i wlp3s0 -p udp --dport 5060 -m state --state NEW -m recent --set

使用 iptables 设置阻止时间

答案1

答案2

相关内容