iptables and connlimit
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: iptables and connlimit

  1. #1
    Senior Member
    Join Date
    May 2003
    Posts
    472

    iptables and connlimit

    helloo friends,

    i was just working with iptables and connlimit and facing a little bit of problem i hope u peep can help me out very well.

    pls have a look on the command that i executed after fresh installation of iptables from rpm.

    [root@MDK10 firewall]# iptables -I INPUT 1 -p tcp --syn --dport 80 -m connlimit ! --connlimit-above 2 -j ACCEPT
    iptables: No chain/target/match by that name.

    but have a look at this toooo

    [root@MDK10 firewall]# iptables -I INPUT 1 -p tcp --syn --dport 80 -m connlimit -j ACCEPT
    iptables v1.2.9: You must specify `--connlimit-above'

    so connlimit is there and modules gets loaded ( i suppose, coz it shows me the error for incomplete parameters in the second command).

    any ideas where i am slipping?
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    472

    iptables and connlimit

    helloo friends,

    i was just working with iptables and connlimit and facing a little bit of problem i hope u peep can help me out very well.

    pls have a look on the command that i executed after fresh installation of iptables from rpm.

    [root@MDK10 firewall]# iptables -I INPUT 1 -p tcp --syn --dport 80 -m connlimit ! --connlimit-above 2 -j ACCEPT
    iptables: No chain/target/match by that name.

    but have a look at this toooo

    [root@MDK10 firewall]# iptables -I INPUT 1 -p tcp --syn --dport 80 -m connlimit -j ACCEPT
    iptables v1.2.9: You must specify `--connlimit-above'

    so connlimit is there and modules gets loaded ( i suppose, coz it shows me the error for incomplete parameters in the second command).

    any ideas where i am slipping?
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: iptables and connlimit

    Originally posted here by NullDevice
    [root@MDK10 firewall]# iptables -I INPUT 1 -p tcp --syn --dport 80 -m connlimit ! --connlimit-above 2 -j ACCEPT
    iptables: No chain/target/match by that name.
    Remove the exclamation mark (!) and see if that fixes the problem. For what you are doing, you can equally do --connlimit-above 2 -j DROP/REJECT. I believe that is the intended use of the connlimit module.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: iptables and connlimit

    Originally posted here by NullDevice
    [root@MDK10 firewall]# iptables -I INPUT 1 -p tcp --syn --dport 80 -m connlimit ! --connlimit-above 2 -j ACCEPT
    iptables: No chain/target/match by that name.
    Remove the exclamation mark (!) and see if that fixes the problem. For what you are doing, you can equally do --connlimit-above 2 -j DROP/REJECT. I believe that is the intended use of the connlimit module.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    472
    that too doesnt works buddy. i have already tried that
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  6. #6
    Senior Member
    Join Date
    May 2003
    Posts
    472
    that too doesnt works buddy. i have already tried that
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  7. #7
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Can't see the problem, it looks very similar to this example:

    http://www.netfilter.org/patch-o-mat...base-connlimit

    Are you sure this works on INPUT ? Allthough common sense says it should.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  8. #8
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Can't see the problem, it looks very similar to this example:

    http://www.netfilter.org/patch-o-mat...base-connlimit

    Are you sure this works on INPUT ? Allthough common sense says it should.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  9. #9
    Senior Member
    Join Date
    May 2003
    Posts
    472
    sorry steve that too wont work coz u need to operate on one of chains only. have alook below

    [root@MDK10 firewall]# iptables -p tcp --syn --dport 80 -m connlimit ! --connlimit-above 2 -j ACCEPT
    iptables v1.2.9: no command specified
    Try `iptables -h' or 'iptables --help' for more information.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  10. #10
    Senior Member
    Join Date
    May 2003
    Posts
    472
    sorry steve that too wont work coz u need to operate on one of chains only. have alook below

    [root@MDK10 firewall]# iptables -p tcp --syn --dport 80 -m connlimit ! --connlimit-above 2 -j ACCEPT
    iptables v1.2.9: no command specified
    Try `iptables -h' or 'iptables --help' for more information.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •