Jak zabranit pretizeni SMTP serveru

Čtvrtek Prosinec 4 18:43:54 CET 2003

>   Mam namysli napr. v IPTABLES omezit pocet pripojeni v casovem 
> intervalu z jedne IP adresy.
V casovem intervalu by to melo jit normalne matchem na pakety s priznakem SYN
a pouzitim -m limit.

Pak je jeste moznost omezit pocet paralelnich spojeni. Nikdy jsem to
nezkousel, ale melo by to jit.

patch-o-matic/base/connlimit.patch.help:
Author: Gerd Knorr <kraxel na bytesex.org>
Status: ItWorksForMe[tm]

This adds CONFIG_IP_NF_MATCH_CONNLIMIT match allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
        --connlimit-mask 24 -j REJECT

-- 
.--------------------------------.   .--------------------------.   .---------.
| _________              __ _    |===|      Tomáš Janoušek      |===|o---.  o |
||_________|  _         |_/| |   |===| NOMI team     programmer |===||.--+--' |
|    | | ___ | '-._.-._  _ | | __|   | e-m na il:    tomi na nomi.cz  |   ||| o+---o|
|    | |/ _ \| .-. .-. || || |/ /|   | web http://tomi.nomi.cz/ |   ||| |`--. |
|    | | (_) | | | | | || ||   ( |===| ICQ:        #161807083   |===||o-'.--+o|
|    |_|\___/|_| |_| |_|___|_|\_\|===| GSM:    +420 608 876 277 |===|oo--'  o |
`--------------------------------'   `--------------------------'   `---------'