如何限制/ 24块的主机节点上每小时的SMTP连接? 例如,我想将其限制为每小时50封电子邮件。
谢谢
iptables支持连接/速率限制。 从iptables手册页:
connlimit允许您限制每个客户端IP地址(或客户端地址块)并行连接到服务器的数量。
[!] --connlimit-above n Match if the number of existing connections is (not) above n. --connlimit-mask prefix_length Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. For IPv6, between 0 and 128. Examples: # allow 2 telnet connections per client host iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT # you can also match the other way around: iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT # limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT # limit the number of parallel HTTP requests to 16 for the link local network (ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT 限制此模块使用令牌桶filter以有限的速率匹配。 使用此扩展名的规则将匹配,直到达到此限制(除非使用“!”标志)。 例如,它可以与LOG目标组合使用,以提供有限的日志logging。
--limit rate[/second|/minute|/hour|/day] Maximum average matching rate: specified as a number, with an optional '/second', '/minute', '/hour', or '/day' suffix; the default is 3/hour. --limit-burst number Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.