iptables如何限制一个ip每分钟的访问次数

Question

如何设置规则，当有些ip每分钟访问次数大于100时，自动禁用5个小时。

 

Answer 1

这个可能要自己写插件了

Answer 2

ipset建一个5小时的定时组， iptables reject或者drop这个组

iptables用recent把超限ip写入日志

写个第三方程序用inotify监控日志文件，碰到超限ip的日志就加到ipset建的那个组里

Answer 3

iptables做不了。建议在程序里做

Answer 4

访问次数怎么算啊？

按包，新建连接啥的方便点。分析下用u32匹配？或许能够实现。fail2ban联动吧这样方便多了。或者你的webapp和iptables联动

Answer 5

"禁用5个小时" 好像不行

Answer 6

貌似，好像，帮你支持下。。。

Answer 7

真当iptables万能了啊

Answer 8

估计 iptables 没那么强

Answer 9

http://www.stearns.org/doc/adaptive-firewalls.v0.1.html

Categorizing attackers with the recent module

We're going to make use of the recent firewall module. We need to make use of this in two ways; first, toidentify the IP address of malicious attackers, and second, topunish them in some fashion.

We're going to use the following tests to identify the malicious traffic.

iptables -A INPUT -p tcp -d my.mail.server --dport 25 --tcp-flags ACK 
 ACK -m string --string "rcpt to: decode" 
 -j LOG --log-prefix " SID664" iptables -A INPUT -p tcp -d my.mail.server --dport 25 --tcp-flags ACK 
 ACK -m string --string "rcpt to: decode" 
 -m recent --name MAILPROBER --set 
iptables -A INPUT -p tcp -d my.mail.server --dport 25 --tcp-flags ACK 
 ACK -m string --string "rcpt to: decode" 
 -j REJECT --reject-with tcp-reset

# "SMTP sendmail 5.6.4 exploit" nocase-ignored arachnids,121 classtype:attempted-admin sid:664

This rule is from the http://www.stearns.org/snort2iptables/ project which provides roughly equivalent iptables firewall rules from the Snort IDS ruleset.

The first two lines of each command identify the malicious traffic. In this case, we have traffic header for the smtp port on our mail server with the ACK flag set and the phrase "rcpt to: decode" in the packet. The first rule simply logs the traffic to syslog. The second rule is the one that records the source address of this packet in a kernel table called MAILPROBERS. The final rule is the only one that actually decides the fate of this packet; the packet is discarded and a tcp reset is sent back to the sender.

The first and third rules are concerned with what to do withthis packet. The second rule is solely interested in remembering the attackers IP address for future punishments. OK, let's punish them:

iptables -A INPUT -m recent --name MAILPROBER -j DROP

This one is placed near the top of the firewall, but after any "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" rules. The rule sees if the source address of a new packet is in the MAILPROBER IP address list in the kernel. If it is, the packet is discarded. Here's the first time we've been able to use someone's past actions to block their future connections.

The above punishment is a little harsh, though. The fact that someone tried an old exploit 3 hours ago doesn't mean that IP address should be blocked from any communication with anyone in our network forever, which is the end result of the above DROP rule. If for no other reason, the attack might have come from a dialup IP address; the next person to acquire that address may simply want to retrieve a web page, and is now blocked because his predecessor was mildy hostile a while back.

Lets tone down the punishment a little:

iptables -A INPUT -m recent --name MAILPROBER --seconds 180 -j DROP

We'll ignore the attcker for 3 minutes, but after that we'll allow more packets in and see if they'll play nice again.

五個小時

... --seconds 18000 -j DROP