Re: Как сбрасывать лишние подключения?

[Vasily Ivanov <caesar@academ.org>]

On 06.01.14 1707 (+0400), dimas wrote:
> в банальный iptables добавь что-то типа:
> -A INPUT -s 1.2.3.4 -i eth0 -p tcp -m tcp --dport 1111 -j REJECT --reject-with icmp-port-unreachable
> порт - на котором он, собственно, висит. можно и не указывать, будет футболить
> все подключения.

> правда, на каждого желающего писать по строчке - жизни не хватит. 

Package: ipset
[...]
Description-en: administration tool for kernel IP sets
 IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel which can be
 administered by the ipset(8) utility. Depending on the type, currently an
 IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with
 MAC addresses in a  way which ensures lightning speed when matching an
 entry against a set.
 .
 If you want to
 .
  * store multiple IP addresses or port numbers and match against the
    entire collection using a single iptables rule.
  * dynamically update iptables rules against IP addresses or ports without
    performance penalty.
  * express complex IP address and ports based rulesets with a single
    iptables rule and benefit from the speed of IP sets.
 .
 then IP sets may be the proper tool for you.
Homepage: http://ipset.netfilter.org/