Le 31/01/2014 18:33, Rob Janssen a écrit : > Scott Baker wrote: >> I want to block any client that sends an NTP packet more than 10 per >> second. I'm trying to implement an IPTables rule to do this: >> >> iptables -A INPUT -p udp -m limit --dport 123 --limit 10/s -j DROP >> >> It is matching and blocking SOME packets, but definitely not the bulk of >> them. Has anyone use IPTables to limit the rate packets are accepted? >> Any sage advice for me? >> > Some time ago someone posted these rules: > > iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --set > --name NTPTRAFFIC --rsource > iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --update > --seconds 60 --hitcount 7 --name NTPTRAFFIC --rsource -j DROP > > This looks like a more advanced filter that limits per IP address. > Maybe you can work from that.
I tried using hashlimit like iptable -A INPUT -p udp -m udp -d 88.191.245.121 --dport 123 -m state --state NEW -m hashlimit --hashlimit 20/second --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-name NTP --hashlimit-htable-size 2048 --hashlimit-htable-expire 30000 --hashlimit-htable-gcinterval 10000 -j ACCEPT But it was not very efficient. Or too much, when monitoring was not allowed to connect... _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
