Hi, I would like to use the limit extension, to prevent flooding (only, for learning :P ) man tells me only this: [...] limit This module matches at a limited rate using a token bucket filter: it can be used in combination with the LOG target to give limited logging. A rule using this extension will match until this limit is reached (unless the `!' flag is used). --limit rate Maximum average matching rate: specified as a num ber, with an optional `/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour. --limit-burst number The maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. [...] Can somebody explain me this? Perhaps with an example? Thx, Markus
Markus wrote:
Hi,
I would like to use the limit extension, to prevent flooding (only, for learning :P )
man tells me only this: [...] limit This module matches at a limited rate using a token bucket filter: it can be used in combination with the LOG target to give limited logging. A rule using this extension will match until this limit is reached (unless the `!' flag is used).
--limit rate Maximum average matching rate: specified as a num ber, with an optional `/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour.
--limit-burst number The maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. [...]
Can somebody explain me this? Perhaps with an example?
Thx, Markus
For example: iptables -A OUTPUT -m limit --limit 10/m -j LOG --log-prefix "OUTPUT DROP " iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A OUTPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A OUTPUT -p icmp -j DROP This will log 10 messages per minute and drop/reject the packages. V.Lieder
Am Freitag, 6. Juni 2003 19:02 schrieb Volker Lieder:
Markus wrote:
man tells me only this: [...] limit --limit rate --limit-burst number [...]
For example:
iptables -A OUTPUT -m limit --limit 10/m -j LOG --log-prefix "OUTPUT DROP " iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A OUTPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A OUTPUT -p icmp -j DROP
This will log 10 messages per minute and drop/reject the packages.
Good, but for what is the "--limit-burst" parameter? And this 10 massages, are they the first massages received or only 1 in 6 seconds? Greets, Markus
On Fri, 6 Jun 2003, Markus Hochmann wrote:
Good, but for what is the "--limit-burst" parameter? And this 10 massages, are they the first massages received or only 1 in 6 seconds?
The best explanation I've seen so far was something like this: For every "limit" rule, there's a "bucket" containing "tokens"; whenever the rule matches, a token is removed; when the token count reaches zero, the rule doesn't match anymore. "--limit" is the bucket refill rate. "--limit-burst" is the bucket size (number of tokens that fit). Martin
Am Dienstag, 10. Juni 2003 12:58 schrieb Martin Köhling:
On Fri, 6 Jun 2003, Markus Hochmann wrote:
Good, but for what is the "--limit-burst" parameter? And this 10 massages, are they the first massages received or only 1 in 6 seconds?
The best explanation I've seen so far was something like this:
For every "limit" rule, there's a "bucket" containing "tokens"; whenever the rule matches, a token is removed; when the token count reaches zero, the rule doesn't match anymore.
"--limit" is the bucket refill rate. "--limit-burst" is the bucket size (number of tokens that fit). Thats really easy to understand :D Thx Markus
participants (3)
-
Markus Hochmann
-
Martin Köhling
-
Volker Lieder