Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
Only using IPTABLES, how would you limit requests (pings for example) from the same Internet host to x number of packets per minute, say 5 for simplicity sake?
iptables -A INPUT -p ICMP -m limit --limit 5/minute --limit-burst 5 -j ACCEPT
-m limit: This uses the limit iptables extension
–limit 5/minute: This limits only maximum of 5 connection per minute. Change this value based on your specific requirement
–limit-burst 5: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.
The above should do the trick!
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 months ago.
Improve this question
I'm building an system where I have 1 million open connections open at the same time and some of them reconnect but the thread still waits the deadline.
ulimit -n 999999 is the maximum I can get everything over it will give an error message
-bash: ulimit: open files: cannot modify limit: Operation not permitted
How can I set this higher? Why is there even an limit?
Start by settting this in sysctl:
# sysctl -w fs.nr_open=1000000000
Then you can set the ulimit
# ulimit -n 1000000000
This will give you 1000000000 as your ulimit:
# ulimit -n
1000000000
1000000000 is the highest I could get it to go.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 4 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I came across a rule:
iptables -A INPUT -p tcp -s 17.3.3.5/24 -d 0/0 --dport 22 -j DROP
and I was just wondering if someone could explain what this rule is doing. More importantly, I would like to know what the
-d 0/0
part means, in the whole rule (I know its destination specification, so the 0/0 part should be an IP address, but why is it 0/0?).
Im speculating that the rule is dropping that one source address when it arrives at destination port 22, but I'm not sure.
If someone could explain, that would be great.
Couldn't find an answer when searching the interwebs :C
Just like -s 17.3.3.5/24 means any source within the CIDR block 17.3.3.5/24, -d 0/0 means any destination within the CIDR block 0.0.0.0/0. Since there are no bits in the network number, every address is inside this network. So it means any destination at all.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I found this iptables rule in some project I am working on:
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
What does this rule mean? How does it make the network more secure?
It could be translated by "Drop every incoming segment that initialize a new TCP connection and where SYN control bit is not set among FIN,SYN,RST,ACK." (see here).
A TCP segment used to initialize a connection should have the SYN control bit set so that rule is there to ensure that. Also, I think this rule avoid the use of different port scan techniques involving segments without the SYN control bit set, like ACK scan. It silently drops the segment instead of sending an RST segment that could give information to a potential attacker.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 9 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I just figured out, that ping on a Linux platform (Ubuntu 13.10) does not timeout as described. I tried
ping -w 2 unreachable.com
and
ping -W 2 unreachable.com
but in neither case there was a timeout after 2 seconds. How can I use ping with a definite timeout? Is that possible at all? I want the command to stop after 2 seconds, regardless of any connection status.
ping -c 5 -W 2 will send out 5 pings, waiting 2 seconds max for each of them (a total max of 10 seconds).
ping -w 5 will send out pings, but will stop after 5 seconds.
You have to be careful with name resolution: if you use a name instead of an IP address, the resolution of the name does not count into these timeouts & waits (pinging and time measurements start only after the name resolution has finished). If you use DNS, you can set DNS timeouts in /etc/resolv.conf - see its man page.
Are you misinterpreting the flag? If I understand correctly:
The -W flag will specify how long to wait for a reply. By setting -W 2, according to the man page:
Time to wait for a response, in seconds. The option affects only timeout in absense of any responses, otherwise ping waits for two RTTs
So running it like you have and waiting for 2 seconds doesn't actually let you know if it has given up waiting for the response or not.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
When i try to open max number of simultaneous socket connection using epoll , it stucks on 1024 .After this it give "Too many files open" error . I know that this is not the limit .I tried to change nofile parameter value in /etc/security/limits.conf but i only have read-only permissions there.Is there any method to increase the number of file descriptors opened simultaneously?
The answer is in the documentation for ulimit which governs this an other limits.
See e.g. Why is the number of open files limited in linux
This gives you an answer, you can try setting ulimit -n.