Grouping can be done per-hostgroup (source and/or destination address) and/or per-port. Hashlimit uses hash buckets to express a rate limiting match (like the limit match) for a group of connections using a single iptables rule. We’ll be coming at this with the goal of blocking traffic that exceeds a certain amount of packets per second. I’ll try not to assume too much prior knowledge about the module. After some testing I managed to work it all out, so let’s go through it and see if I can help make sense of it for you too. The man pages are definitely lacking a clear explanation and /proc/net/ipt_hashlimit/ leaves out some information that would clarify things immensely. I was having trouble understanding the iptables hashlimit module and couldn’t dig up anything that really helped.
0 kommentar(er)
