LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (http://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   Centos 5.0 x86_64: need help adding connlimit module to iptables (http://www.linuxquestions.org/questions/linux-enterprise-47/centos-5-0-x86_64-need-help-adding-connlimit-module-to-iptables-655389/)

thanhlong 07-12-2008 09:52 PM

Centos 5.0 x86_64: need help adding connlimit module to iptables
 
hi all,
my company is using Centos 5.0(final), kernel 2.6.18-8.e15 x86_64 for web server. Recently, the server is always under DDOS state and I need some updates on current iptables rules to limit number of connections per IP. However, it seem that my linux box dont support connlimit in iptables currently (I alway get error when run iptables command with connlimit parameter. I need to patch & compile kernel to add connlimit module to iptables.

I have never done this job before, therefore I'm not really confident to do on production server without a guide. I have spent much time in google for an appropriate guide but not luck.

Please help me..

jomen 07-13-2008 03:22 PM

Quote:

I need to patch & compile kernel to add connlimit module to iptables.
Do you know this?

To get support for the connlimit target should be as simple as:
modprobe xt_connlimit

That is if Centos has these modules available. I think they do but don't know.
Try it.

thanhlong 07-13-2008 09:09 PM

Thanks Jomen, but it seem Centos has no these modules:
Quote:

[root@server02 ~]# modprobe xt_connlimit
FATAL: Module xt_connlimit not found.
:confused:

Quote:

I need to patch & compile kernel to add connlimit module to iptables.
Because I think this is exactly what I have to do (But I need more detail).

http://www.linuxquestions.org/questi...967295-513720/

jomen 07-14-2008 02:48 AM

but you don't need to patch - just your regular kerrnel-sources will do.
If there really are no prebuilt packages to get these modules just installed as averything else and you need to build them, you need the kernel-devel packages or the full source.
Same version as you have now - then you configure the kernel using your current configuration (/proc/config.gz) - so you don't run the risk of forgetting anything - and you then include the netfilter-modules you want.
Should be no big deal.

thanhlong 07-14-2008 03:14 AM

That may be an equivocal answer for a newbie like me :D
I need an overview step by step to do. Anyway, thanks so much. I will try with my best!


All times are GMT -5. The time now is 06:24 PM.