Netfilter

2.6 Other filtering possibilities

• mac: check the source mac address

• limit: put a limit on the use of a rule (max 3h)
  • limit the number of packets logged per second:
    iptables -A FORWARD -m limit --limit 3/s -j LOG
  • limit the number of SYN packets per second:
    iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
  • limit the efficiency of port scanners
  • limit the number of echo-request icmp query per second

• owner : match a packet created locally
  • filter by uid,gid,pid,sid
  owner can only be applied to the OUTPUT chain
  some packets have no owner : icmp reply ...

Netfilter

® © Hervé Schauer Consultants 2000 - 4 bis, rue de la gare - 92300 Levallois-Perret
Phone : +33 141 409 700 - Fax : +33 141 409 709 - Email : <secretariat@hsc.fr>