1.接受传入的TCP连接ssh(端口22(,每个主机的速率限制为每分钟30个连接,并且连续5个连接2.记录接受的ssh连接。
输入链中的第一条规则通常是:
ct state established,related counter accept
因此,添加以下规则就足够了:
ct state new tcp dport 22 limit rate 30/minute burst 35 packets log prefix "[nft accept ssh] " counter accept
综合起来:
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related counter accept
ct state new tcp dport 22 limit rate 30/minute burst 35 packets log prefix "[nft accept ssh] " counter accept
}
}