Hashlimit rate control

iptables Extended match hashlimit stay hashlimit-mode When specified as null , Equate to limit matching . as follows hashlimit The limit is no more than 50 A message .

# iptables -A INPUT -p udp -j RATE-LIMIT
# iptables --new-chain RATE-LIMIT
# iptables --append RATE-LIMIT \
    --match hashlimit \
    --hashlimit-upto 50/sec \
    --hashlimit-burst 20 \
    --hashlimit-name conn_rate_limit \
    --jump ACCEPT
# iptables --append RATE-LIMIT --jump DROP
#
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RATE-LIMIT  udp  --  0.0.0.0/0            0.0.0.0/0           

Chain RATE-LIMIT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 50/sec burst 20
DROP       all  --  0.0.0.0/0            0.0.0.0/0   

according to hashlimit-name Create the following PROC file , Because it's not specified hashlimit-mode, Source IP、 Purpose IP And source port 、 The destination port fields are all zero ：

$ cat /proc/net/ipt_hashlimit/conn_rate_limit 
0 0.0.0.0:0->0.0.0.0:0 54975581200000 54975581200000 2748779060000

Equivalent functions are provided by limit Match implementation , as follows , The limit is no more than 50 A message .

# iptables --flush
# iptables -A INPUT -p udp -j RATE-LIMIT
# iptables --new-chain RATE-LIMIT
# iptables -A RATE-LIMIT -m limit --limit 50/sec --limit-burst 20 -j ACCEPT 
# iptables --append RATE-LIMIT --jump DROP

Message limit

Use hashlimit-mode Parameter assignment srcip, By source IP Address , Each one IP The rate of is limited to every minute 5 A message , The timeout length of hash table entries is 30 Second .

# iptables -I INPUT -p icmp -m hashlimit --hashlimit-name icmp-limit \
	--hashlimit-mode srcip --hashlimit-srcmask 32 \
	--hashlimit-above 5/minute --hashlimit-burst 2 \
	--hashlimit-htable-expire 30000 -j DROP

adopt PROC file icmp-limit View hash table entries .

$ cat /proc/net/ipt_hashlimit/icmp-limit 
29 192.168.1.114:0->0.0.0.0:0 804842551180032 3298534872000000 1649267436000000
29 192.168.1.117:0->0.0.0.0:0 748217702349568 3298534872000000 1649267436000000

Use dstip Pattern , Restrict access to each purpose IP The number of messages of the address is per minute 5 individual .

# iptables -I INPUT -p icmp -m hashlimit --hashlimit-name icmp-limit \
	--hashlimit-mode dstip --hashlimit-srcmask 32 \
	--hashlimit-above 5/minute --hashlimit-burst 2 \
	--hashlimit-htable-expire 30000 -j DROP

adopt PROC file icmp-limit View hash table entries .

$ cat /proc/net/ipt_hashlimit/icmp-limit 
27 0.0.0.0:0->192.168.9.133:0 675649895268352 3298534872000000 1649267436000000

Flow limit

Limit each source as follows IP The traffic of the address is per second 256kbit.

# iptables -I INPUT -p icmp -m hashlimit --hashlimit-name icmp-traffic-limit \
	--hashlimit-mode srcip --hashlimit-srcmask 32 \
	--hashlimit-above 256kb/s --hashlimit-burst 500kb \
	--hashlimit-htable-expire 30000 -j DROP

adopt PROC file icmp-traffic-limit View hash table entries .

$ cat /proc/net/ipt_hashlimit/icmp-traffic-limit 
29 192.168.9.1:0->0.0.0.0:0 4194304000 2 255984

Session traffic limit

Based on quintuples （icmp,srcip,dstip,srcport,dstport） Flow control .

# iptables -I INPUT -p icmp -m hashlimit --hashlimit-name icmp-session-limit \
	--hashlimit-mode srcip,dstip,srcport,dstport \
	--hashlimit-above 256kb/s --hashlimit-burst 512kb \
	--hashlimit-htable-expire 30000 -j DROP

adopt PROC file icmp-session-limit View hash table entries ,ICMP No port number .

$ cat /proc/net/ipt_hashlimit/icmp-session-limit 
29 192.168.9.1:0->192.168.9.133:0 4194304000 2 255984