Iptables的recent用做防CC效果很好,刚刚在调整单个IP跟踪数据包数量时遇到以下错误 :
iptables: Unknown error 18446744073709551615
iptables: Unknown error 18446744073709551615
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
查看recent模块已正常加载:
#https://www.haiyun.me
lsmod |grep recent
ipt_recent 42969 3
x_tables 50505 7 ipt_recent,xt_state,ip_tables,ipt_LOG,ipt_REJECT,xt_tcpudp,ip6_tables
查看recent模块信息:
modinfo ipt_recent
filename: /lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/netfilter/ipt_recent.ko
license: GPL
description: IP tables recently seen matching module
author: Patrick McHardy <kaber@trash.net>
srcversion: 9847889C4459A1E24A45527
depends: x_tables
vermagic: 2.6.18-274.17.1.el5 SMP mod_unload gcc-4.1
parm: ip_list_tot:number of IPs to remember per list (uint)
parm: ip_pkt_list_tot:number of packets per IP to remember (max. 255) (uint)
parm: ip_list_hash_size:size of hash table used to look up IPs (uint)
parm: ip_list_perms:permissions on /proc/net/ipt_recent/* files (uint)
module_sig: 883f3504fcc2b231298695ef90fd4f112a58709f465f6d2b473f085774c22f4a44af8d9d414232609f77c48b61f17dd712e95188f337230fc3ef7a243
可见recent最大跟踪IP及数据包数量可以调整的,设置最大跟踪数据包为100:
cat >> /etc/modprobe.conf <<EOF
options ip_pkt_list_tot=100
EOF
重新加载recent模块:
/etc/init.d/iptables stop
modprobe -r ipt_recent
modprobe ipt_recent
/etc/init.d/iptables start
再次调整参数,一切正常。