iptables command

i need set limit perconnection to my server by iptables
i try:
[root@host ~]#  iptables -t nat -A PREROUTING -i $EXT_IFACE eth0 -p tcp -syn -d $DEST_IP -m iplimit --iplimit -above 16 -j DROP
but iptables say error:
Bad argument `iplimit'
Try `iptables -h' or 'iptables --help' for more information.
how to good command for limit connection to server
Who is Participating?
Gabriel OrozcoSolution ArchitectCommented:

if you read the patch-o-matic howto, you'll see you need to download and install a newer iptables, along with the process of downloading the patch, apply to a kernel source, and then compile and install the new kernel.

if that is too much for you to do at current state, then maybe you need to give a re-read to my first post where are the links to iproute2 commands that can be of help.

these come already with all linux distributions nowadays
Gabriel OrozcoSolution ArchitectCommented:
as you can see here

iplimit is not already implemented on the mayority of kernels. you should patch a kernel so you can have this math in iptables (it also requires you an up-to-date iptables)

here you have some info in how to compile extensions for iptables:

howver, I'm seeing that debian has this patch, so maybe you need to load the module in order to use it:
modprobe ipt_iplimit

if you get an error modprobing the module, then you do not have iplimit compiled in the kernel. if you get nothing but the command line again, then try your rule again =)
# somthing like:
iptables -I FORWARD -p tcp --dport 80 -d IP   --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d IP ! --syn -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d IP   --syn -j DROP
# allows an average of 1 syn/sec and max. 5 syns in a burst.
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

likeinfoAuthor Commented:
iptables -I FORWARD -p tcp --dport 80 -d IP   --syn -m dst                                                                             limit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables v1.2.11: Couldn't load match `dstlimit':/lib/iptables/libipt_dstlimit.s                                                                             o: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
Gabriel OrozcoSolution ArchitectCommented:
try with haslimit insetad dstlimit, since is deprecated:

of course, your linux distribution should have patch-o-match included (this includes a patched kernel) so you need to try and check if it works

if not, then add the patch-o-matic (need to read the documentation):
likeinfoAuthor Commented:
i'm running iptables v1.2.8
how can i fix for use this command?
Gabriel OrozcoSolution ArchitectCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.