Então, resolvi experimentar algo de mais baixo nível: o iptables.
As regras para limitar a 4 conexões simultâneas o acesso às portas 80 e 443 são:
iptables -A INPUT -p tcp --syn --dport 80 \
-m connlimit --connlimit-above 4 --connlimit-mask 32 \
-j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --syn --dport 443 \
-m connlimit --connlimit-above 4 --connlimit-mask 32 \
-j REJECT --reject-with tcp-reset
iptables -A INPUT -s 10.128.0.0/16 -p tcp --syn --dport 80 \
-m connlimit --connlimit-above 4 --connlimit-mask 32 \
-j REJECT --reject-with tcp-reset
iptables -A INPUT -s 10.128.0.0/16 -p tcp --syn --dport 443 \
-m connlimit --connlimit-above 4 --connlimit-mask 32 \
-j REJECT --reject-with tcp-reset
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.128.0.0/16 anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn/32 > 4
ACCEPT tcp -- 10.128.0.0/16 anywhere tcp dpt:https flags:FIN,SYN,RST,ACK/SYN #conn/32 > 4
REJECT tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn/32 > 4 reject-with tcp-reset
REJECT tcp -- anywhere anywhere tcp dpt:https flags:FIN,SYN,RST,ACK/SYN #conn/32 > 4 reject-with tcp-reset
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
netstat -anpt | grep httpd | awk '{print $5}' | \
cut -d: -f4 | sort | uniq -c | sort -nr
Nenhum comentário:
Postar um comentário