> Mikrotik supports a queuing mechanism called PCQ (per connection queuing) which restricts each connection to the amount specified. [...] > Is there a Linux Netfilter / IPTables equivalent of PCQ?
Hi. As has been said here before, the "restrict limited kod" works quite well for me. It can be customized too. As to PCQ Linux IPTables alternative: The closest thing that comes to mind is ipt_recent module (part of most distributions I believe). More info here: http://www.snowman.net/projects/ipt_recent/ . A basic example: iptables -I INPUT -i eth0 -p udp --dport 123 -m recent --set iptables -I INPUT -i eth0 -p udp --dport 123 -m recent --update --seconds 60 --hitcount 20 -j DROP This tracks recent incoming ntp connections. If one IP sends more than 20 queries in 60 seconds, it is blocked until there is no connection from that IP for another 60 seconds (--update). I use a variant of this to block clients that continually send millions of queries with no regard for KOD, timeouts, etc. Hope this helps. Matej Snoha
_______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
