`
zzsj123
  • 浏览: 46006 次
社区版块
存档分类
最新评论

iptables利用connlimit模块防御DDOS攻击

阅读更多
  
lsmod |grep ipt
查看是否安装ipt_connlimit模块

  
[root@localhost ~]# modinfo xt_connlimit
  #查看xt_connlimit模块

  filename: /lib/modules/2.6.32-358.el6.x86_64/kernel/net/netfilter/xt_connlimit.ko

  alias: ip6t_connlimit

  alias: ipt_connlimit

  license: GPL

  description: Xtables: Number of connections matching

  author: Jan Engelhardt

  srcversion: FD50EBD41C0216E02E65B1E

  depends: nf_conntrack

  vermagic: 2.6.32-358.el6.x86_64 SMP mod_unload modversions



限制一个客户端并发请求为10

  iptables -A INPUT -p tcp –dport 80 -m connlimit –connlimit-above 10 -j REJECT

  限制除用户XXX.XXX.XXX.XXX以外的IP连接数为50

  iptables -I FORWARD -p tcp -s !XXX.XXX.XXX.XXX -m connlimit –connlimit-above 50 -j REJECT

  iptables -p tcp –syn –dport 80 -m connlimit –connlimit-above 16 –connlimit-mask 24 -j REJECT

分享到:
评论

相关推荐

Global site tag (gtag.js) - Google Analytics