按照此文章在 nftables 上阻止在一分钟内尝试超过 10 个新传入 TCP 连接的 IP 地址如何添加像这样的白名单ip saddr != { ip1, ip2,... }?
table ip filter {
set denylist {
type ipv4_addr
flags dynamic,timeout
timeout 1m
}
chain input {
type filter hook input priority filter; policy accept;
ip protocol tcp ct state new,untracked update @denylist { ip saddr limit rate over 10/minute } drop
}
}
答案1
这对我有用
# rate limits
ip saddr != { $IP1, $IP2 } ip protocol tcp ct state new,untracked limit rate over 2/second update @denylist { ip saddr }
ip saddr @denylist drop