This is what I use, but there's probably a better way: (eth0.2 is my
internet facing iface, I don't rate limit LAN clients)
iptables -A INPUT -i eth0.2 -p udp --dport 123 -m hashlimit
--hashlimit-upto 6/minute --hashlimit-burst 6 --hashlimit-htable-expire
3600000 --hashlimit-mode srcip --hashlimit-name ntp -j ACCEPT
#iptables -A INPUT -i eth0.2 -p udp --dport 123 -j LOG --log-prefix
"[RATE-LIMITED NTP]: "
iptables -A INPUT -i eth0.2 -p udp --dport 123 -j DROP
The LOG rule is commented out currently, it generates too many entries
to be real useful, unless you're inclined to write a script to parse
them out. I had intended to do that once upon a time but never got
around to it.
Tim
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
