PDA

Bekijk de volledige versie : iptables: iplimit doesn't work (1.9.2.7-4)



tomilius
27-03-2005, 23:58
Trash this if I'm wrong, but I can't get iplimit to work correctly.

This works:
iptables -A INPUT -p tcp --syn -j REJECT

This doesn't:
iptables -A INPUT -p tcp --syn -m iplimit --iplimit-above 5 -j REJECT

Result:
iptables: No chain/target/match by that name

I'm ... well... 66% positive that I'm doing it correctly. I've googled.

... And in so googling, I've found other people with the problem but not a solution that I can understand (something about patch-o-matic). Oleg, I would appreciate it if you could solve this problem in the next firmware :)

iptables -m iplimit -h:

iplimit v1.2.7a options:
[!] --iplimit-above n match if the number of existing tcp connections is (not) above n
--iplimit-mask n group hosts using mask

So it's not completely broken, since it can show that. Like I said, there are reports of this problem. Apparently iplimit needs a kernel patch or something:

Please use patch-o-matic to get <B style="color:black;background-color:#ffff66">iplimit</B> match support in your firewall. If compiled into kernel, then you have no need
to worry :)

mctiew
28-03-2005, 08:59
Trash this if I'm wrong, but I can't get iplimit to work correctly.

This works:
iptables -A INPUT -p tcp --syn -j REJECT

This doesn't:
iptables -A INPUT -p tcp --syn -m iplimit --iplimit-above 5 -j REJECT

Result:
iptables: No chain/target/match by that name

I'm ... well... 66% positive that I'm doing it correctly. I've googled.


iplimit is the old name for connlimit. Both iptables and kernel need to be patched to have this.

I have replaced the iptables 1.2.7a with 1.2.9 ( which includes extension ipt_connlimit and also patched the kernel accordingly. But I haven't got time to test to see if it is working. ;)

Cheers

tomilius
28-03-2005, 23:43
This is sort of off the topic, but what would be really useful is a target which runs a script and passes arguments to it. That would allow for a ton of increidble customization as well...

mctiew
29-03-2005, 01:54
This is sort of off the topic, but what would be really useful is a target which runs a script and passes arguments to it. That would allow for a ton of increidble customization as well...

As it turns out, I could not compile connlimit as modules, something is not right, the module will complain unresolved symbol with ip_conntrack_find_get. Other people hit the same problem too if you search google.

So I compiled it into the kernel, and now it is working. So if there is any interest, one has to use it in the form of *.trx. Take your own risk, it's a custom firmware which I tweaked many many things. ;)

Cheers.

tomilius
29-03-2005, 14:19
Ah! Thank you--though it's not that urgent so I do not need a further-customized firmware yet. I hope you pass the news along to Oleg with an explanation so there won't have to be a parallel series going on (e-gasp, reminds me of Physics), and hopefully it can be in 1.9.2.7-5 or 1.9.3.8-1 or whatever, depending on the rate of change (... oh no, more Physics?). Great work!

mctiew
29-03-2005, 14:48
Ah! Thank you--though it's not that urgent so I do not need a further-customized firmware yet. I hope you pass the news along to Oleg with an explanation so there won't have to be a parallel series going on (e-gasp, reminds me of Physics), and hopefully it can be in 1.9.2.7-5 or 1.9.3.8-1 or whatever, depending on the rate of change (... oh no, more Physics?). Great work!

Absolutely no plan to branch off a parallel series but I can see it shall be quite difficult to reconcil everybody's requirements into one series. Everybody's requirement is not quite the same. And real estate is often an issue where you can't possibly put everybody's requirements together.

Holding the source and be able to make your own mods is the freedom here. And we need to thank Oleg for that.

Cheers.