* connlimit and NEW state
@ 2010-06-10 5:50 Mihamina Rakotomandimby
0 siblings, 0 replies; only message in thread
From: Mihamina Rakotomandimby @ 2010-06-10 5:50 UTC (permalink / raw)
To: netfilter
Manao ahoana, Hello, Bonjour,
I have a sofwtare, *like* http://coova.org/ (access controller) but old
and proprietary, that allows people to connect to internet after
identifying through a web form.
If the user is not identified, when he tries to browse Internet, he is
redirected to the identification web form. Identification is posible
only via the web form.
The problem is there are some users trying to DOS by overloading the
redirection.
I setup a filtering bridge before the access controller in order to
limit trigerring the web redirection. I put a very basic rule:
$ sudo brctl show
bridge name interfaces
br0 eth1 eth2
#!/bin/bash
CLIENTS1=eth1
ACCESS_CONTROLLER=eth2
iptables -A FORWARD -i br0 \
-m physdev --physdev-in $CLIENTS1 \
-p tcp -m state --state NEW -j connlimit
[...]
iptables -A connlimit -m connlimit \
--connlimit-above 15 -j DROP
This seems to limit the DOS, and the results are quite satisfying me.
I limit NEW connections to 15 parallell ones. Is it really "real time"?
I guess there is a time interval, but did not find how tiny it is (1
second? 1 millisecond?...)
Misaotra, Thanks, Merci.
--
Architecte Informatique chez Blueline/Gulfsat:
Administration Systeme, Recherche & Developpement
+261 3456 000 19
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2010-06-10 5:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-10 5:50 connlimit and NEW state Mihamina Rakotomandimby
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).