如何限制主机节点上 /24 块的每小时 SMTP 连接数?例如,我想将其限制为每小时 50 封电子邮件。
谢谢
答案1
iptables 支持连接/速率限制。摘自 iptables 手册页:
connlimit 允许您限制每个客户端 IP 地址(或客户端地址块)与服务器的并行连接数。
[!] --connlimit-above n
Match if the number of existing connections is (not) above n.
--connlimit-mask prefix_length
Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. For IPv6, between 0 and 128.
Examples:
# allow 2 telnet connections per client host
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
# limit the number of parallel HTTP requests to 16 for the link local network
(ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT
限制 此模块使用令牌桶过滤器以有限的速率进行匹配。使用此扩展的规则将匹配,直到达到此限制(除非使用“!”标志)。例如,它可以与 LOG 目标结合使用以提供有限的日志记录。
--limit rate[/second|/minute|/hour|/day]
Maximum average matching rate: specified as a number, with an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default is 3/hour.
--limit-burst number
Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.