Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1256611
  • 博文数量: 177
  • 博客积分: 1528
  • 博客等级: 上尉
  • 技术积分: 1891
  • 用 户 组: 普通用户
  • 注册时间: 2010-12-15 18:03
文章分类

全部博文(177)

文章存档

2020年(1)

2018年(19)

2017年(4)

2016年(21)

2015年(40)

2014年(13)

2013年(26)

2012年(16)

2011年(37)

我的朋友

分类: LINUX

2014-11-28 12:02:31

connbytes
        Match by how many bytes or packets a connection (or  one  of  the  two  flows  constituting the connection) have tranferred so far, or by aver- age bytes per packet.The counters are 64bit and are thus not expected to overflow ;)
        The primary use is to detect long-lived downloads and mark them to  bescheduled using a lower priority band in traffic control. The  transfered bytes  per  connection can  also  be  viewed  through/proc/net/ip_conntrack and accessed via ctnetlink
       [!] --connbytes from:[to]
       match packets  from  a  connection  whose  packets/bytes/average packet size is more than FROM and less than TO bytes/packets. If TO is omitted only FROM check is done.  "!"  is  used  to  match packets not falling in the range.
       --connbytes-dir [original|reply|both]
       which packets to consider
       --connbytes-mode [packets|bytes|avgpkt]
      

 whether  to  check the amount of packets, number of bytes trans-ferred or the average size (in bytes) of all packets received so far.  Note  that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example HTTP),the  average  packet  size will be about half of the actual data packets.
       Example:
       iptables .. -m connbytes --connbytes  10000:100000  --connbytes-  dir both --connbytes-mode bytes ...

 

验证:

只取一个链接的前5packets:

iptables -t mangle -A FORWARD -m connbytes --connbytes 5: --connbytes-dir both --connbytes-mode packets -j DROP

 

或是:

iptables -t mangle -A FORWARD -m connbytes --connbytes 0:5 --connbytes-dir both --connbytes-mode packets -j ACCEPT

 

以上这个两个命令均能实现获取一个链接的前N packets.

阅读(1873) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~