iptables限速

####限速

限制指定时间包的允许通过数量及并发数
-m limit --limit n/{second/minute/hour}:
指定时间内的请求速率"n"为速率，后面为时间分别为：秒、分、时
--limit-burst [n]：
在同一时间内允许通过的请求"n"为数字,不指定默认为5
[root@nginx01 ~]# iptables -I INPUT -s 10.0.1.0/24 -p icmp --icmp-type 8 -m limit --limit 5/min --limit-burst 2 -j ACCEPT

####允许IDC LAN/WAN和办公网IP的访问,及对外合作机构访问

iptables -A INPUT -s 124.43.62.96/27 -p all -j ACCEPT ç办公室固定IP段。
iptables -A INPUT -s 192.168.1.0/24 -p all -j ACCEPT çIDC机房的内网网段。
iptables -A INPUT -s 10.0.0.0/24 -p all -j ACCEPT ß其他机房的内网网段。
iptables -A INPUT -s 203.83.24.0/24 -p all -j ACCEPT ßIDC机房的外网网段
iptables -A INPUT -s 201.82.34.0/24 -p all -j ACCEPT ß其它IDC机房的外网网段

####允许关联的状态包

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEP
nmap 10.0.0.5 -p 1-65535
[root@web02 ~]# nmap 10.0.0.5 -p 1-1000

Starting Nmap 5.51 ( http://nmap.org ) at 2016-07-24 22:41 CST
Nmap scan report for 10.0.0.5
Host is up (0.00019s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
MAC Address: 00:0C:29:89:7C:16 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 11.16 seconds
[root@web02 ~]#

[root@lb01 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Sun Sep 25 12:51:44 2016
*filter
:INPUT DROP [18:1404]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [54:6616]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Sun Sep 25 12:51:44 2016
[root@lb01 ~]#