Results 1 to 6 of 6

Thread: iptables: iplimit doesn't work (1.9.2.7-4)

  1. #1

    iptables: iplimit doesn't work (1.9.2.7-4)

    Trash this if I'm wrong, but I can't get iplimit to work correctly.

    This works:
    iptables -A INPUT -p tcp --syn -j REJECT

    This doesn't:
    iptables -A INPUT -p tcp --syn -m iplimit --iplimit-above 5 -j REJECT

    Result:
    iptables: No chain/target/match by that name

    I'm ... well... 66% positive that I'm doing it correctly. I've googled.

    ... And in so googling, I've found other people with the problem but not a solution that I can understand (something about patch-o-matic). Oleg, I would appreciate it if you could solve this problem in the next firmware

    iptables -m iplimit -h:
    iplimit v1.2.7a options:
    [!] --iplimit-above n match if the number of existing tcp connections is (not) above n
    --iplimit-mask n group hosts using mask
    So it's not completely broken, since it can show that. Like I said, there are reports of this problem. Apparently iplimit needs a kernel patch or something:
    Quote Originally Posted by some difficult-to-read google result
    Please use patch-o-matic to get <B style="color:black;background-color:#ffff66">iplimit</B> match support in your firewall. If compiled into kernel, then you have no need
    to worry
    Last edited by tomilius; 28-03-2005 at 01:13.

  2. #2
    Quote Originally Posted by tomilius
    Trash this if I'm wrong, but I can't get iplimit to work correctly.

    This works:
    iptables -A INPUT -p tcp --syn -j REJECT

    This doesn't:
    iptables -A INPUT -p tcp --syn -m iplimit --iplimit-above 5 -j REJECT

    Result:
    iptables: No chain/target/match by that name

    I'm ... well... 66% positive that I'm doing it correctly. I've googled.
    iplimit is the old name for connlimit. Both iptables and kernel need to be patched to have this.

    I have replaced the iptables 1.2.7a with 1.2.9 ( which includes extension ipt_connlimit and also patched the kernel accordingly. But I haven't got time to test to see if it is working.

    Cheers

  3. #3
    This is sort of off the topic, but what would be really useful is a target which runs a script and passes arguments to it. That would allow for a ton of increidble customization as well...

  4. #4
    Quote Originally Posted by tomilius
    This is sort of off the topic, but what would be really useful is a target which runs a script and passes arguments to it. That would allow for a ton of increidble customization as well...
    As it turns out, I could not compile connlimit as modules, something is not right, the module will complain unresolved symbol with ip_conntrack_find_get. Other people hit the same problem too if you search google.

    So I compiled it into the kernel, and now it is working. So if there is any interest, one has to use it in the form of *.trx. Take your own risk, it's a custom firmware which I tweaked many many things.

    Cheers.

  5. #5
    Ah! Thank you--though it's not that urgent so I do not need a further-customized firmware yet. I hope you pass the news along to Oleg with an explanation so there won't have to be a parallel series going on (e-gasp, reminds me of Physics), and hopefully it can be in 1.9.2.7-5 or 1.9.3.8-1 or whatever, depending on the rate of change (... oh no, more Physics?). Great work!

  6. #6
    Quote Originally Posted by tomilius
    Ah! Thank you--though it's not that urgent so I do not need a further-customized firmware yet. I hope you pass the news along to Oleg with an explanation so there won't have to be a parallel series going on (e-gasp, reminds me of Physics), and hopefully it can be in 1.9.2.7-5 or 1.9.3.8-1 or whatever, depending on the rate of change (... oh no, more Physics?). Great work!
    Absolutely no plan to branch off a parallel series but I can see it shall be quite difficult to reconcil everybody's requirements into one series. Everybody's requirement is not quite the same. And real estate is often an issue where you can't possibly put everybody's requirements together.

    Holding the source and be able to make your own mods is the freedom here. And we need to thank Oleg for that.

    Cheers.

Similar Threads

  1. Iptables
    By byteZero in forum WL-500g Q&A
    Replies: 2
    Last Post: 07-11-2006, 20:23
  2. iptables vs web interface
    By bomberman in forum WL-500g Q&A
    Replies: 0
    Last Post: 20-05-2005, 09:06
  3. Iptables
    By barsju in forum WL-500g Q&A
    Replies: 15
    Last Post: 01-03-2005, 02:36
  4. How do I save my changes to Iptables?
    By oyvindk in forum WL-500g Q&A
    Replies: 6
    Last Post: 23-02-2005, 14:26

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •