debian - 这个 IPTable (update, seconds, hitcount) 规则有什么作用?(debian)
问题描述
-- Watch for packets
iptables -I INPUT -p udp -m state --state NEW -m recent --set
-- Drop flooders
iptables -I INPUT -p udp -m state --state NEW -m recent --update --seconds 3 --hitcount 50 -j DROP
我不完全理解它是如何工作的,我所知道的是,当某个东西在 3 秒内通过 UDP 命中超过 50 次时,它将被丢弃。
但是,持续多久?它是否仅限于 50 次点击?是每个人 50 次点击还是每个 IP 50 次点击?
解决方案
来自https://linux.die.net/man/8/iptables:
[!] --rcheck
Check if the source address of the packet is currently in the list.
[!] --update
Like --rcheck, except it will update the "last seen" timestamp if it matches.
[!] --remove
Check if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true. If the address is not found, false is returned.
[!] --seconds seconds
This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds.
[!] --hitcount hits
This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with --seconds to create an even narrower match requiring a certain number of hits within a specific time frame.
我会说它是每个源 IP 地址,只要在该源 IP 地址的最后 3 秒内有超过 49 次点击,它们就会被丢弃。