ddos rules using iptables

Posted on 2006-05-25
Last Modified: 2008-01-09
Hi everyone,

I have this error when I try to set the rule for my webserver under SUSE Linux ver 10.0. It complains about, anyone know how to work around so I can set the ddos rule for my webserver?

 iptables -I FORWARD -p tcp --dport 80 -d --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables v1.3.3: Couldn't load match `dstlimit':/usr/lib/iptables/ cannot open shared object file: No such file or directory

Question by:arron9112003
    LVL 51

    Expert Comment

    you need to install the dstlimit module

    Author Comment

    I can not find such module name dstlimit on SUSE website. If you know where to download from, can you please let me know?

    LVL 51

    Expert Comment

    the iptables (aka netfilter) modules are part of the kernel, you have to recompile the kernel after selecting and enabling these modules, if you have a modularized kernel, you may compile the iptables modules and load them with modprobe

    Author Comment

    Sorry, I'm not quite understand your statement.  I think iptables should already been installed when the OS installed.  
    LVL 51

    Expert Comment

    iptables itself is the userspace program, but the functionality is build into the kernel (it's the netfilter part there)
    as anything in the kernel, it could be a static part of the kernel or loaded dynamically as modules
    Hence you either need to build the modules and load them (if you have a modularized kernel), or build a new kernel (if you have a static kernel, which is unusual nowerdays:)

    Author Comment

    I downloaded new iptable package from netfilter and recompile, but look like I can not install it unless I must do some thing extra which ... I don't know.
    Do you have an idea?

    suse:~/installable/iptables-1.3.5 # make KERNEL_DIR=/usr/src/linux
    /bin/sh: extensions/.BALANCE-test: Permission denied
    /bin/sh: extensions/.CLUSTERIP-test: Permission denied
    /bin/sh: extensions/.FTOS-test: Permission denied
    /bin/sh: extensions/.IPMARK-test: Permission denied
    /bin/sh: extensions/.IPV4OPTSSTRIP-test: Permission denied
    /bin/sh: extensions/.NETLINK-test: Permission denied
    /bin/sh: extensions/.ROUTE-test: Permission denied
    /bin/sh: extensions/.TCPLAG-test: Permission denied
    /bin/sh: extensions/.XOR-test: Permission denied
    /bin/sh: extensions/.account-test: Permission denied
    /bin/sh: extensions/.childlevel-test: Permission denied
    /bin/sh: extensions/.condition-test: Permission denied
    /bin/sh: extensions/.connbytes-test: Permission denied
    /bin/sh: extensions/.connrate-test: Permission denied
    /bin/sh: extensions/.dccp-test: Permission denied
    /bin/sh: extensions/.dstlimit-test: Permission denied
    /bin/sh: extensions/.fuzzy-test: Permission denied
    /bin/sh: extensions/.ipv4options-test: Permission denied
    /bin/sh: extensions/.mport-test: Permission denied
    /bin/sh: extensions/.nth-test: Permission denied
    /bin/sh: extensions/.osf-test: Permission denied
    /bin/sh: extensions/.psd-test: Permission denied
    /bin/sh: extensions/.quota-test: Permission denied
    /bin/sh: extensions/.random-test: Permission denied
    /bin/sh: extensions/.recent-test: Permission denied
    /bin/sh: extensions/.record-rpc-test: Permission denied
    /bin/sh: extensions/.set-test: Permission denied
    /bin/sh: extensions/.string-test: Permission denied
    /bin/sh: extensions/.time-test: Permission denied
    /bin/sh: extensions/.u32-test: Permission denied
    /bin/sh: extensions/.REJECT-test6: Permission denied
    /bin/sh: extensions/.ROUTE-test6: Permission denied
    /bin/sh: extensions/.ah-test6: Permission denied
    /bin/sh: extensions/.condition-test6: Permission denied
    /bin/sh: extensions/.esp-test6: Permission denied
    /bin/sh: extensions/.frag-test6: Permission denied
    /bin/sh: extensions/.fuzzy-test6: Permission denied
    /bin/sh: extensions/.ipv6header-test6: Permission denied
    /bin/sh: extensions/.nth-test6: Permission denied
    /bin/sh: extensions/.opts-test6: Permission denied
    /bin/sh: extensions/.random-test6: Permission denied
    /bin/sh: extensions/.rt-test6: Permission denied
    make: *** No rule to make target `extensions/libipt_TTL.c', needed by `extensions/libipt_TTL.d'.  Stop.
    suse:~/installable/iptables-1.3.5 #
    LVL 51

    Expert Comment

    as said before: not iptables is your problem but the missing modules in/for the kernel
    So why do you want to recompile iptables?

    Author Comment

    build the modules? is there an instruction out there? I haven't done any thing like this before.

    LVL 51

    Expert Comment

    you have to check your kernel with
      cd /usr/src/linux && make menuconfig

    Some modules used by iptables have also be patched into th ekernel, see the patch-o-matic part at

    If you never build a kernel yourself before, I highly recommend that you make used yourself how to configure, build and install a new kernel (kcan not be done in a few words, other people write books about that:)
    The general way is:

      cd /usr/src/linux
      make menuconfig
      make dep
      make bzimage
      make modules
      make modules-install
    then you need to copy the kernel image to the proper boot directory and depending on your boot loader configure/install that too again.

    Author Comment


    I tried your suggession, but it doesnt work for me (system crashed, may be I need to learn more on this).
    I found this article, and it works good for me.
    LVL 51

    Expert Comment


    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now