限制每小时 OpenVZ SMTP

限制每小时 OpenVZ SMTP

如何限制主机节点上 /24 块的每小时 SMTP 连接数?例如,我想将其限制为每小时 50 封电子邮件。

谢谢

答案1

iptables 支持连接/速率限制。摘自 iptables 手册页:

connlimit 允许您限制每个客户端 IP 地址(或客户端地址块)与服务器的并行连接数。

   [!] --connlimit-above n
          Match if the number of existing connections is (not) above n.

   --connlimit-mask prefix_length
          Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. For IPv6, between 0 and 128.

   Examples:

   # allow 2 telnet connections per client host
          iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

   # you can also match the other way around:
          iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

   # limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask)
          iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT

   # limit the number of parallel HTTP requests to 16 for the link local network
          (ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT

限制 此模块使用令牌桶过滤器以有限的速率进行匹配。使用此扩展的规则将匹配,直到达到此限制(除非使用“!”标志)。例如,它可以与 LOG 目标结合使用以提供有限的日志记录。

   --limit rate[/second|/minute|/hour|/day]
          Maximum average matching rate: specified as a number, with an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default is 3/hour.

   --limit-burst number
          Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.

相关内容