iptables command

Posted on 2006-04-21
Last Modified: 2012-06-27
i need set limit perconnection to my server by iptables
i try:
[root@host ~]#  iptables -t nat -A PREROUTING -i $EXT_IFACE eth0 -p tcp -syn -d $DEST_IP -m iplimit --iplimit -above 16 -j DROP
but iptables say error:
Bad argument `iplimit'
Try `iptables -h' or 'iptables --help' for more information.
how to good command for limit connection to server
Question by:likeinfo
    LVL 19

    Expert Comment

    as you can see here

    iplimit is not already implemented on the mayority of kernels. you should patch a kernel so you can have this math in iptables (it also requires you an up-to-date iptables)

    here you have some info in how to compile extensions for iptables:

    howver, I'm seeing that debian has this patch, so maybe you need to load the module in order to use it:
    modprobe ipt_iplimit

    if you get an error modprobing the module, then you do not have iplimit compiled in the kernel. if you get nothing but the command line again, then try your rule again =)
    LVL 51

    Expert Comment

    # somthing like:
    iptables -I FORWARD -p tcp --dport 80 -d IP   --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
    iptables -A FORWARD -p tcp --dport 80 -d IP ! --syn -j ACCEPT
    iptables -A FORWARD -p tcp --dport 80 -d IP   --syn -j DROP
    # allows an average of 1 syn/sec and max. 5 syns in a burst.

    Author Comment

    iptables -I FORWARD -p tcp --dport 80 -d IP   --syn -m dst                                                                             limit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
    iptables v1.2.11: Couldn't load match `dstlimit':/lib/iptables/libipt_dstlimit.s                                                                             o: cannot open shared object file: No such file or directory

    Try `iptables -h' or 'iptables --help' for more information.
    LVL 19

    Expert Comment

    try with haslimit insetad dstlimit, since is deprecated:

    of course, your linux distribution should have patch-o-match included (this includes a patched kernel) so you need to try and check if it works

    if not, then add the patch-o-matic (need to read the documentation):

    Author Comment

    i'm running iptables v1.2.8
    how can i fix for use this command?
    LVL 19

    Accepted Solution


    if you read the patch-o-matic howto, you'll see you need to download and install a newer iptables, along with the process of downloading the patch, apply to a kernel source, and then compile and install the new kernel.

    if that is too much for you to do at current state, then maybe you need to give a re-read to my first post where are the links to iproute2 commands that can be of help.

    these come already with all linux distributions nowadays
    LVL 19

    Expert Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now