0
我並添加以下規則,以我的iptables規則:如何測試是否最大連接數(每秒最大連接)的數量正在
#limit numbeer of connections
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8008 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j DROP
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent
--set iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 2 --hitcount 25 -j DROP iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set iptables -I INPUT
-p tcp --dport 443 -m state --state NEW -m recent --update --seconds 2 --hitcount 25 -j DROP iptables -I INPUT -p tcp --dport 8008 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 8008 -m state --state NEW -m recent --update --seconds 2 --hitcount 25 -j DROP
這是規則的iptables如何完成這樣的:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: sshprobe side: source mask: 255.255.255.255
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: sshprobe side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:8008 state NEW recent: UPDATE seconds: 2 hit_count: 25 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:8008 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:https state NEW recent: UPDATE seconds: 2 hit_count: 25 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:https state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:http state NEW recent: UPDATE seconds: 2 hit_count: 25 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:http state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:8008 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 15
DROP tcp -- anywhere anywhere tcp dpt:https flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 15
DROP tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 15
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:8181
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:8008
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
我想測試這個新政策是否有效。
我該如何測試它?我試圖用阿帕奇基準來檢查,如果從我的本地一些連接正在下降:
ab -n 10000 -c 9000 http://www.tralev.com/web/main
但從輸出我看不到任何連接沒有下降:
Failed requests: 82
(Connect: 0, Receive: 0, Length: 82, Exceptions: 0)
(這個長度錯誤可能是由於到服務器上的一些動態內容)。
那麼我如何修復我的iptables設置或設置一個測試,它顯示當前設置實際上限制了從IP地址到15(每秒最大連接數爲15)的連接數?