Windows system >> Linux system Tutorial >> Linux Tutorial

Introduction to hashlimit module in iptables

  
 Iptables use the hashlimit to limit the speed
hashlimit is a matching module of iptables, with it combined with other commands of iptables can achieve the speed limit function (note that the separate hashlimit module can not limit the speed). But first of all, it must be clear that the hashlimit itself is just a <;match” module. We know that the basic principle of iptables is "match & ndash; processing", hashlimit can only play a matching role in this work process, it can not do any processing on the network packet itself.
I saw some examples of hashlimit on the Internet saying that only one iptables statement containing the hashlimit matching rule can achieve the speed limit, which is wrong.
In fact, the use of hashlimit to speed limit needs to include two steps:
1. For the hashlimit matching rule to release the line 2. Discard/reject the unreleased package
The following is a simple example: iptables - A INPUT -p tcp –dport 22 -m hashlimit –hashlimit-name ssh –hashlimit 5/sec –hashlimit-burst 10 –hashlimit-mode srcip –hashlimit-htable-expire 90000 -j ACCEPTiptables -A INPUT -p tcp –dport 22 -j DROP

Then, let's focus on how the hashlimit module works. The hashlimit match is based on the token bucket model. Token bucket is a common buffer working principle in network communication. It has two important parameters, token bucket capacity n and token generation rate s. We can think of the token as a ticket, and the token bucket is the administrator responsible for making and issuing tickets, with up to n tokens in hand. In the beginning, the administrator started with n tokens. Whenever a packet arrives, the administrator sees if there is a token available. If so, the token is sent to the packet, and the hashlimit tells iptables that the packet is matched. When the administrator has finished sending all the tokens, the incoming packets will not get the token. At this point, the hashlimit module tells iptables that the packet cannot be matched. In addition to issuing tokens, as long as the number of tokens in the token bucket is less than n, it will generate a new token at rate s until the number of tokens reaches n. Through the token bucket mechanism, the number of packets that pass (match) in a unit time can be effectively controlled, and a large number of packets that burst in a short period of time can be allowed to pass (as long as the number of packets does not exceed the token bucket n).

The hashlimit module provides two parameters –hashlimit and –hashlimit-burst, which correspond to the token generation rate and token bucket capacity, respectively. In addition to the token bucket model, another important concept of hashlimit matching is the match. In the hashlimit, each match has a separate token bucket that performs independent matching calculations. With the hashlimit's –hashlimit-mode parameter, you can specify four matches and their combinations, namely:

srcip (each source IP is a match), dstip (each destination address IP is A match), srcport (each source port is a match), dstport (each destination port is a match)

In addition to the three parameters described above, there is one must use hashlimit The parameter, ie –hashlimit-name. Hashlimit will create a file in the /proc/net/ipt_hashlimit directory for each iptables command that calls the hashlimit module, which holds information about each match. The –hashlimit-name parameter is used to specify the file name of the file. Ok, above we have introduced the working principle of hashlimit and the corresponding parameters. Let's look at a few examples. The first example is the previous example: iptables -A INPUT -p tcp –dport 22 -m hashlimit –hashlimit-name ssh –hashlimit 5/sec –hashlimit-burst 10 –hashlimit-mode srcip -j ACCEPTiptables -A INPUT -p tcp –dport 22 -j DROP After understanding the meaning of the hashlimit parameters, we can now know the role of these two iptables commands. The role of the first one is to establish a match for all the different IPs accessing the port of the local device 22, the token bucket capacity corresponding to the match is 10, and the token generation rate is 5 per second. Release the matching packets. The second function is to discard all other packets that access the port of the local machine 22. Through these two commands, we have realized the function of restricting other machines to frequently access the local port 22 (ssh service). Let us look at the speed limit of a complicated point. Suppose we are now on a NAT gateway and want to limit the external access frequency of a network segment 192.168.1.2/24 on the internal network. (The main function of this is to limit the internal flooding of the internal poisoning host.) We can do this:

iptables -N DEFLOODiptables -A FORWARD -s 192.168.1.2/24 -m state –state NEW -j DEFLOODiptables -A DEFLOOD -m hashlimit –hashlimit-name deflood –hashlimit 10/sec –hashlimit-burst 10 –hashlimit-mode srcip -j ACCEPTiptables -P DEFLOOD -j DROP

first command Established a custom processing chain second command, all packets from the 192.168.1.2/24 network segment, and intend to create a new network connection, enter the DEFLOOD chain to process the third command, in the DEFLOOD chain, for each The IP establishes a match, corresponding to a token bucket capacity of 10, and a generation rate of 10 per second. Release the matching packets. The fourth command, discard all other packets in the DEFLOOD chain. Of course, the hashlimit has some other parameters, such as –hashlimit-htable-expire–hashlimit-htable-size–hashlimit-htable-max, which can be man iptables or more. We introduced the principle and use of the hashlimit module.

Linux Tutorial
Windows system
Linux naming method for hard disks and partitions in detail

                  Under Linux, the IDE device is named after hd. Generally, there are two IDE interf
How to find the file of the explosion disk under Linux

Here is a way for you to quickly find a large file in the system. Recently received a users report,

How to hide PHP version in Linux server

 The web server avoids some unnecessary troubles. You can not display the version information of apa
Linux lrzsz basic tutorial

 I. Manually compile and install 1, download the installation package, wget https://ohse.de/uwe/rele
Linux system root password reset method diagram detailed tutorial

 1. Restart the server2. At the beginning of the boot, enter the boot interface (as shown below) and
Operating system March market share latest ranking: Win7 first

According to statcounter statistics, the global operating system market share in March is still Win7
  • Linux system FAQ
  • Linux Tutorial
  • About Linux

    • After upgrading the official version of Win10, there is a solution to disable the connection error.

    Let Win XP manage sharing functions fully functional

    Win10 system to open multi-desktop operation method

    The best alternative to Windows 8 BitLocker

    Win8.164 bit /32 bit KB3096053 patch download Main repair KB3069114 installation problem

    Windows7 system optimization slimming method

    How to set Win10 tablet mode Win10 tablet mode open method

    Effectively reduce the win8 shutdown time method to share

    Windows XP installation startup failure solution (3)

    XP operating system network application latest skills

  • Windows XP System Tutorial
  • Windows 7 System Tutorial
  • Windows 8 System Tutorial
  • Windows 10 System Tutorial
  • Windows 2003 System Tutorial
  • Windows 2008 System Tutorial
  • Windows Vista System Tutorial
  • Windows tutorial synthesis
  • Windows Server System Tutorial
  • Linux system Tutorial
  • Computer software Tutorial
  • Windows NT Tutorial
    • Copyright © Windows knowledge All Rights Reserved