我有一个configuration为SNMP代理的系统,并将TRAPS发送到其他一些configuration为SNMPpipe理器的远程m / c。现在,从这个SNMP代理我想要使用Linux中存在的IPTABLES实用程序来限制SNMP陷阱。编写一个单独的应用程序来限制SNMP陷阱的SNMPpipe理器,我想不使用OUTPUT链中的IPTABLE规则来实现这个function。 可能吗! 如果是的话,任何人都可以提出产出链的规则。
像这样的东西:
iptables -A OUTPUT -p tcp --dport 161 -m limit --limit 3/min --limit-burst 3 -j ACCEPT iptables -A OUTPUT -p tcp --dport 161 -j DROP iptables -A OUTPUT -p udp --dport 161 -m limit --limit 3/min --limit-burst 3 -j ACCEPT iptables -A OUTPUT -p udp --dport 161 -j DROP 用–limit和–limit-burst值调整,直到你喜欢结果。
从Rusty的显着不可靠的指南( http://www.netfilter.org/documentation/index.html#documentation-howto ):
limit This module must be explicitly specified with `-m limit' or `--match limit'. It is used to restrict the rate of matches, such as for suppressing log messages. It will only match a given number of times per second (by default 3 matches per hour, with a burst of 5). It takes two optional arguments: --limit followed by a number; specifies the maximum average number of matches to allow per second. The number can specify units explicitly, using `/second', `/minute', `/hour' or `/day', or parts of them (so `5/second' is the same as `5/s'). --limit-burst followed by a number, indicating the maximum burst before the above limit kicks in.