Hi, as I promised in LARTC list I created patch for new connbytes match. It matches packets which bellongs to connection which transfered given range of bytes. For those interested it is at http://luxik.cdi.cz/~devik/connbytes/ It was originaly meant to be used with HTB or other qdisc to reclassify long download streams to lower prio class. devik
Hi, Is it possible to use iptables as hammeprotection ? I want to deny a user who has just logged off .. for about 10seconds. I tried with this, but that didn''t work. Maybe my mind is going completely in the wrong direction today? =) iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $my_ip --dport 21 -m limit --limit 10/second --limit-burst 1 --tcp-flags ALL SYN -j ACCEPT Greetings, Joachim
> Hi, > > Is it possible to use iptables as hammeprotection ? > > I want to deny a user who has just logged off .. for about 10seconds. >i think this is a application-logic-thing which can''t be implemented that easy only by one iptables-line> I tried with this, but that didn''t work. Maybe my mind is going > completely in the wrong direction today? =) > > iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $my_ip --dport 21 -m limit > --limit 10/second --limit-burst 1 --tcp-flags ALL SYN -j ACCEPT >this rule blocks (afaik) every request after the 10th/second, no matter s.o logged off or on ... i think what u want must be done on application-level or with an "magic) (and dirty) script which watches the ftp-log if s.o loggs off, grep''s it''s ip and then blocks it for 10 seconds but that not only sounds ugly :)> Greetings, > > Joachim > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
hi Joachim,> I want to deny a user who has just logged off .. for about > 10seconds.I think you can only limit the number of syn-pakets like you already proposed.> I tried with this, but that didn''t work. Maybe my mind is going > completely in the wrong direction today? =) > > iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $my_ip --dport 21 -m > limit --limit 10/second --limit-burst 1 --tcp-flags ALL SYN -j > ACCEPTI''m not sure, but I think you just mixed the parameters up. --limit 10/second allows 10 SYN pakets per second so if you only want one paket per 10 seconds you should perhaps try 6/minute or maybe say 1/minute and set the limit-bust to 3 or so. best regards Sebastian -- Sebastian ''spax'' Pape | I''m like time ... u can''t stop me! mailto: sebastian@p-a-p-e.de | gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ ---