LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   connlimit with iptable (https://www.linuxquestions.org/questions/linux-networking-3/connlimit-with-iptable-737116/)

mario.almeida 07-02-2009 12:38 AM

connlimit with iptable
 
Hi All,

Can someone tell me how to enable connlimit module for iptable

//Remy

centosboy 07-02-2009 06:22 AM

Quote:

Originally Posted by mario.almeida (Post 3593818)
Hi All,

Can someone tell me how to enable connlimit module for iptable

//Remy

yes
add -m connlimit --connlimit-above <number> somewhere in the iptables cmd
Code:

iptables -m connlimit
other options are set in here.........

/etc/sysconfig/iptables-config

for redhat variants anyway

mario.almeida 07-02-2009 06:52 AM

Hi,

I had tried that but have this message

iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables v1.3.8: no command specified
Try `iptables -h' or 'iptables --help' for more information.



Quote:

Originally Posted by centosboy (Post 3594118)
yes
add -m connlimit --connlimit-above <number> somewhere in the iptables cmd
Code:

iptables -m connlimit
other options are set in here.........

/etc/sysconfig/iptables-config

for redhat variants anyway


centosboy 07-02-2009 08:08 AM

Quote:

Originally Posted by mario.almeida (Post 3594149)
Hi,

I had tried that but have this message

iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables v1.3.8: no command specified
Try `iptables -h' or 'iptables --help' for more information.

Ok...after a bit of googling, i found this


Code:

Hi. The problem isn't yours alone. Despite the man page, there is no
support for the iptables connlimit match in CentOS 5 nor any previous
version.

The real issue is that, due to the way RH builds iptables(*), there
have been longstanding disparities(**) between the iptables userspace
tool and the kernel. For example, in Fedora 6/RHEL 5/CentOS 5, although
there is an iptables module in /lib/iptables/libipt_connlimit.so which
supports the connlimit match in iptables, there is no corresponding
netfilter module in /lib/modules/(version)/kernel/net/ipv4/netfilter/
to handle it in the kernel. Fedora 3/RHEL 4/CentOS 4 have the same
problem. Other disparities exist as well.

Anyway, since there is no stock kernel support for connlimit, the
iptables module included in these distros is rather useless to you.

The kernel module is not included in the centosplus kernel either, so
if you really must have connlimit working on CentOS 5 there are three
options:

1. Upgrade your kernel to a newer version.

The connlimit module finally went into mainline at kernel v2.6.23.
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23

IIRC, Fedora 7 doesn't support connlimit in the kernel either,
but Fedora 8 and 9 do.

2. Patch it and maintain your own build.

See http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-connlimit

3. Find a pre-built module maintained elsewhere.

I only know of one repository for RHEL4:
http://ftp.pslib.cz/pub/users/Milan.Kerslager/RHEL-4/stable/


Please note that the CentOS team won't support non-stock kernels.


Sorry for the bad news and the long message with irrelevant details
(they're for the list archive and googlers).


So then i ssh'd to my Fedora 9 xen virtual server which runs on my Centos domU.

Ran the iptables command

Code:


iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

and now

Code:


[root@Fedora ~]# iptables -L INPUT -n -v | grep conn
    0    0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:23 flags:0x17/0x02 #conn/32 > 2 reject-with icmp-port-unreach


I can see it works :)


All times are GMT -5. The time now is 08:30 AM.