ddos rules using iptables

Hi everyone,

I have this error when I try to set the rule for my webserver under SUSE Linux ver 10.0. It complains about libipt_dstlimit.so, anyone know how to work around so I can set the ddos rule for my webserver?

 iptables -I FORWARD -p tcp --dport 80 -d 192.168.2.21 --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables v1.3.3: Couldn't load match `dstlimit':/usr/lib/iptables/libipt_dstlimit.so: cannot open shared object file: No such file or directory

Thanks.
arron9112003Asked:
Who is Participating?
 
CetusMODConnect With a Mentor Commented:
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0
 
ahoffmannCommented:
you need to install the dstlimit module
0
 
arron9112003Author Commented:
I can not find such module name dstlimit on SUSE website. If you know where to download from, can you please let me know?

Thanks.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
ahoffmannCommented:
the iptables (aka netfilter) modules are part of the kernel, you have to recompile the kernel after selecting and enabling these modules, if you have a modularized kernel, you may compile the iptables modules and load them with modprobe
0
 
arron9112003Author Commented:
Sorry, I'm not quite understand your statement.  I think iptables should already been installed when the OS installed.  
0
 
ahoffmannCommented:
iptables itself is the userspace program, but the functionality is build into the kernel (it's the netfilter part there)
as anything in the kernel, it could be a static part of the kernel or loaded dynamically as modules
Hence you either need to build the modules and load them (if you have a modularized kernel), or build a new kernel (if you have a static kernel, which is unusual nowerdays:)
0
 
arron9112003Author Commented:
I downloaded new iptable package from netfilter and recompile, but look like I can not install it unless I must do some thing extra which ... I don't know.
Do you have an idea?

suse:~/installable/iptables-1.3.5 # make KERNEL_DIR=/usr/src/linux
/bin/sh: extensions/.BALANCE-test: Permission denied
/bin/sh: extensions/.CLUSTERIP-test: Permission denied
/bin/sh: extensions/.FTOS-test: Permission denied
/bin/sh: extensions/.IPMARK-test: Permission denied
/bin/sh: extensions/.IPV4OPTSSTRIP-test: Permission denied
/bin/sh: extensions/.NETLINK-test: Permission denied
/bin/sh: extensions/.ROUTE-test: Permission denied
/bin/sh: extensions/.TCPLAG-test: Permission denied
/bin/sh: extensions/.XOR-test: Permission denied
/bin/sh: extensions/.account-test: Permission denied
/bin/sh: extensions/.childlevel-test: Permission denied
/bin/sh: extensions/.condition-test: Permission denied
/bin/sh: extensions/.connbytes-test: Permission denied
/bin/sh: extensions/.connrate-test: Permission denied
/bin/sh: extensions/.dccp-test: Permission denied
/bin/sh: extensions/.dstlimit-test: Permission denied
/bin/sh: extensions/.fuzzy-test: Permission denied
/bin/sh: extensions/.ipv4options-test: Permission denied
/bin/sh: extensions/.mport-test: Permission denied
/bin/sh: extensions/.nth-test: Permission denied
/bin/sh: extensions/.osf-test: Permission denied
/bin/sh: extensions/.psd-test: Permission denied
/bin/sh: extensions/.quota-test: Permission denied
/bin/sh: extensions/.random-test: Permission denied
/bin/sh: extensions/.recent-test: Permission denied
/bin/sh: extensions/.record-rpc-test: Permission denied
/bin/sh: extensions/.set-test: Permission denied
/bin/sh: extensions/.string-test: Permission denied
/bin/sh: extensions/.time-test: Permission denied
/bin/sh: extensions/.u32-test: Permission denied
/bin/sh: extensions/.REJECT-test6: Permission denied
/bin/sh: extensions/.ROUTE-test6: Permission denied
/bin/sh: extensions/.ah-test6: Permission denied
/bin/sh: extensions/.condition-test6: Permission denied
/bin/sh: extensions/.esp-test6: Permission denied
/bin/sh: extensions/.frag-test6: Permission denied
/bin/sh: extensions/.fuzzy-test6: Permission denied
/bin/sh: extensions/.ipv6header-test6: Permission denied
/bin/sh: extensions/.nth-test6: Permission denied
/bin/sh: extensions/.opts-test6: Permission denied
/bin/sh: extensions/.random-test6: Permission denied
/bin/sh: extensions/.rt-test6: Permission denied
make: *** No rule to make target `extensions/libipt_TTL.c', needed by `extensions/libipt_TTL.d'.  Stop.
suse:~/installable/iptables-1.3.5 #
0
 
ahoffmannCommented:
as said before: not iptables is your problem but the missing modules in/for the kernel
So why do you want to recompile iptables?
0
 
arron9112003Author Commented:
build the modules? is there an instruction out there? I haven't done any thing like this before.

Regards.
0
 
ahoffmannCommented:
you have to check your kernel with
  cd /usr/src/linux && make menuconfig

Some modules used by iptables have also be patched into th ekernel, see the patch-o-matic part at http://www.iptables.org/.

If you never build a kernel yourself before, I highly recommend that you make used yourself how to configure, build and install a new kernel (kcan not be done in a few words, other people write books about that:)
The general way is:

  cd /usr/src/linux
  make menuconfig
  make dep
  make bzimage
  make modules
  make modules-install
 
then you need to copy the kernel image to the proper boot directory and depending on your boot loader configure/install that too again.
0
 
arron9112003Author Commented:

I tried your suggession, but it doesnt work for me (system crashed, may be I need to learn more on this).
I found this article, and it works good for me. http://www.linuxsecurity.com/content/view/121960/49/
0
 
ahoffmannCommented:
agreed
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.