likeinfo
asked on
iptables command
hello,
i need set limit perconnection to my server by iptables
i try:
[root@host ~]# iptables -t nat -A PREROUTING -i $EXT_IFACE eth0 -p tcp -syn -d $DEST_IP -m iplimit --iplimit -above 16 -j DROP
but iptables say error:
Bad argument `iplimit'
Try `iptables -h' or 'iptables --help' for more information.
how to good command for limit connection to server
i need set limit perconnection to my server by iptables
i try:
[root@host ~]# iptables -t nat -A PREROUTING -i $EXT_IFACE eth0 -p tcp -syn -d $DEST_IP -m iplimit --iplimit -above 16 -j DROP
but iptables say error:
Bad argument `iplimit'
Try `iptables -h' or 'iptables --help' for more information.
how to good command for limit connection to server
# somthing like:
iptables -I FORWARD -p tcp --dport 80 -d IP --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d IP ! --syn -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d IP --syn -j DROP
# allows an average of 1 syn/sec and max. 5 syns in a burst.
iptables -I FORWARD -p tcp --dport 80 -d IP --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d IP ! --syn -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d IP --syn -j DROP
# allows an average of 1 syn/sec and max. 5 syns in a burst.
ASKER
error:
iptables -I FORWARD -p tcp --dport 80 -d IP --syn -m dst limit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables v1.2.11: Couldn't load match `dstlimit':/lib/iptables/l
Try `iptables -h' or 'iptables --help' for more information.
iptables -I FORWARD -p tcp --dport 80 -d IP --syn -m dst limit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables v1.2.11: Couldn't load match `dstlimit':/lib/iptables/l
Try `iptables -h' or 'iptables --help' for more information.
try with haslimit insetad dstlimit, since is deprecated:
http://www.netfilter.org/patch-o-matic/pom-obsolete.html
of course, your linux distribution should have patch-o-match included (this includes a patched kernel) so you need to try and check if it works
if not, then add the patch-o-matic (need to read the documentation):
http://www.netfilter.org/patch-o-matic/
http://www.netfilter.org/patch-o-matic/pom-obsolete.html
of course, your linux distribution should have patch-o-match included (this includes a patched kernel) so you need to try and check if it works
if not, then add the patch-o-matic (need to read the documentation):
http://www.netfilter.org/patch-o-matic/
ASKER
i'm running iptables v1.2.8
how can i fix for use this command?
how can i fix for use this command?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thanks
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.5
iplimit is not already implemented on the mayority of kernels. you should patch a kernel so you can have this math in iptables (it also requires you an up-to-date iptables)
here you have some info in how to compile extensions for iptables:
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html
howver, I'm seeing that debian has this patch, so maybe you need to load the module in order to use it:
modprobe ipt_iplimit
if you get an error modprobing the module, then you do not have iplimit compiled in the kernel. if you get nothing but the command line again, then try your rule again =)