[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ddos rules using iptables

Posted on 2006-05-25
13
Medium Priority
?
488 Views
Last Modified: 2008-01-09
Hi everyone,

I have this error when I try to set the rule for my webserver under SUSE Linux ver 10.0. It complains about libipt_dstlimit.so, anyone know how to work around so I can set the ddos rule for my webserver?

 iptables -I FORWARD -p tcp --dport 80 -d 192.168.2.21 --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables v1.3.3: Couldn't load match `dstlimit':/usr/lib/iptables/libipt_dstlimit.so: cannot open shared object file: No such file or directory

Thanks.
0
Comment
Question by:arron9112003
  • 6
  • 5
12 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16772189
you need to install the dstlimit module
0
 

Author Comment

by:arron9112003
ID: 16774280
I can not find such module name dstlimit on SUSE website. If you know where to download from, can you please let me know?

Thanks.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16774536
the iptables (aka netfilter) modules are part of the kernel, you have to recompile the kernel after selecting and enabling these modules, if you have a modularized kernel, you may compile the iptables modules and load them with modprobe
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:arron9112003
ID: 16777578
Sorry, I'm not quite understand your statement.  I think iptables should already been installed when the OS installed.  
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16778812
iptables itself is the userspace program, but the functionality is build into the kernel (it's the netfilter part there)
as anything in the kernel, it could be a static part of the kernel or loaded dynamically as modules
Hence you either need to build the modules and load them (if you have a modularized kernel), or build a new kernel (if you have a static kernel, which is unusual nowerdays:)
0
 

Author Comment

by:arron9112003
ID: 16794743
I downloaded new iptable package from netfilter and recompile, but look like I can not install it unless I must do some thing extra which ... I don't know.
Do you have an idea?

suse:~/installable/iptables-1.3.5 # make KERNEL_DIR=/usr/src/linux
/bin/sh: extensions/.BALANCE-test: Permission denied
/bin/sh: extensions/.CLUSTERIP-test: Permission denied
/bin/sh: extensions/.FTOS-test: Permission denied
/bin/sh: extensions/.IPMARK-test: Permission denied
/bin/sh: extensions/.IPV4OPTSSTRIP-test: Permission denied
/bin/sh: extensions/.NETLINK-test: Permission denied
/bin/sh: extensions/.ROUTE-test: Permission denied
/bin/sh: extensions/.TCPLAG-test: Permission denied
/bin/sh: extensions/.XOR-test: Permission denied
/bin/sh: extensions/.account-test: Permission denied
/bin/sh: extensions/.childlevel-test: Permission denied
/bin/sh: extensions/.condition-test: Permission denied
/bin/sh: extensions/.connbytes-test: Permission denied
/bin/sh: extensions/.connrate-test: Permission denied
/bin/sh: extensions/.dccp-test: Permission denied
/bin/sh: extensions/.dstlimit-test: Permission denied
/bin/sh: extensions/.fuzzy-test: Permission denied
/bin/sh: extensions/.ipv4options-test: Permission denied
/bin/sh: extensions/.mport-test: Permission denied
/bin/sh: extensions/.nth-test: Permission denied
/bin/sh: extensions/.osf-test: Permission denied
/bin/sh: extensions/.psd-test: Permission denied
/bin/sh: extensions/.quota-test: Permission denied
/bin/sh: extensions/.random-test: Permission denied
/bin/sh: extensions/.recent-test: Permission denied
/bin/sh: extensions/.record-rpc-test: Permission denied
/bin/sh: extensions/.set-test: Permission denied
/bin/sh: extensions/.string-test: Permission denied
/bin/sh: extensions/.time-test: Permission denied
/bin/sh: extensions/.u32-test: Permission denied
/bin/sh: extensions/.REJECT-test6: Permission denied
/bin/sh: extensions/.ROUTE-test6: Permission denied
/bin/sh: extensions/.ah-test6: Permission denied
/bin/sh: extensions/.condition-test6: Permission denied
/bin/sh: extensions/.esp-test6: Permission denied
/bin/sh: extensions/.frag-test6: Permission denied
/bin/sh: extensions/.fuzzy-test6: Permission denied
/bin/sh: extensions/.ipv6header-test6: Permission denied
/bin/sh: extensions/.nth-test6: Permission denied
/bin/sh: extensions/.opts-test6: Permission denied
/bin/sh: extensions/.random-test6: Permission denied
/bin/sh: extensions/.rt-test6: Permission denied
make: *** No rule to make target `extensions/libipt_TTL.c', needed by `extensions/libipt_TTL.d'.  Stop.
suse:~/installable/iptables-1.3.5 #
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16796050
as said before: not iptables is your problem but the missing modules in/for the kernel
So why do you want to recompile iptables?
0
 

Author Comment

by:arron9112003
ID: 16796099
build the modules? is there an instruction out there? I haven't done any thing like this before.

Regards.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16796157
you have to check your kernel with
  cd /usr/src/linux && make menuconfig

Some modules used by iptables have also be patched into th ekernel, see the patch-o-matic part at http://www.iptables.org/.

If you never build a kernel yourself before, I highly recommend that you make used yourself how to configure, build and install a new kernel (kcan not be done in a few words, other people write books about that:)
The general way is:

  cd /usr/src/linux
  make menuconfig
  make dep
  make bzimage
  make modules
  make modules-install
 
then you need to copy the kernel image to the proper boot directory and depending on your boot loader configure/install that too again.
0
 

Author Comment

by:arron9112003
ID: 16827939

I tried your suggession, but it doesnt work for me (system crashed, may be I need to learn more on this).
I found this article, and it works good for me. http://www.linuxsecurity.com/content/view/121960/49/
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16987530
agreed
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 17023102
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question