Markus wrote:
Hi,
I would like to use the limit extension, to prevent flooding (only, for learning :P )
man tells me only this: [...] limit This module matches at a limited rate using a token bucket filter: it can be used in combination with the LOG target to give limited logging. A rule using this extension will match until this limit is reached (unless the `!' flag is used).
--limit rate Maximum average matching rate: specified as a num ber, with an optional `/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour.
--limit-burst number The maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. [...]
Can somebody explain me this? Perhaps with an example?
Thx, Markus
For example: iptables -A OUTPUT -m limit --limit 10/m -j LOG --log-prefix "OUTPUT DROP " iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A OUTPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A OUTPUT -p icmp -j DROP This will log 10 messages per minute and drop/reject the packages. V.Lieder