LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-02-2009, 12:38 AM   #1
mario.almeida
Member
 
Registered: May 2008
Location: India
Distribution: Ubuntu 10.04, CentOS
Posts: 179

Rep: Reputation: 27
connlimit with iptable


Hi All,

Can someone tell me how to enable connlimit module for iptable

//Remy
 
Old 07-02-2009, 06:22 AM   #2
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by mario.almeida View Post
Hi All,

Can someone tell me how to enable connlimit module for iptable

//Remy
yes
add -m connlimit --connlimit-above <number> somewhere in the iptables cmd
Code:
iptables -m connlimit
other options are set in here.........

/etc/sysconfig/iptables-config

for redhat variants anyway

Last edited by centosboy; 07-02-2009 at 06:26 AM.
 
Old 07-02-2009, 06:52 AM   #3
mario.almeida
Member
 
Registered: May 2008
Location: India
Distribution: Ubuntu 10.04, CentOS
Posts: 179

Original Poster
Rep: Reputation: 27
Hi,

I had tried that but have this message

iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables v1.3.8: no command specified
Try `iptables -h' or 'iptables --help' for more information.



Quote:
Originally Posted by centosboy View Post
yes
add -m connlimit --connlimit-above <number> somewhere in the iptables cmd
Code:
iptables -m connlimit
other options are set in here.........

/etc/sysconfig/iptables-config

for redhat variants anyway
 
Old 07-02-2009, 08:08 AM   #4
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by mario.almeida View Post
Hi,

I had tried that but have this message

iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables v1.3.8: no command specified
Try `iptables -h' or 'iptables --help' for more information.
Ok...after a bit of googling, i found this


Code:
Hi. The problem isn't yours alone. Despite the man page, there is no
support for the iptables connlimit match in CentOS 5 nor any previous
version.

The real issue is that, due to the way RH builds iptables(*), there
have been longstanding disparities(**) between the iptables userspace
tool and the kernel. For example, in Fedora 6/RHEL 5/CentOS 5, although
there is an iptables module in /lib/iptables/libipt_connlimit.so which
supports the connlimit match in iptables, there is no corresponding
netfilter module in /lib/modules/(version)/kernel/net/ipv4/netfilter/
to handle it in the kernel. Fedora 3/RHEL 4/CentOS 4 have the same
problem. Other disparities exist as well.

Anyway, since there is no stock kernel support for connlimit, the
iptables module included in these distros is rather useless to you.

The kernel module is not included in the centosplus kernel either, so
if you really must have connlimit working on CentOS 5 there are three
options:

1. Upgrade your kernel to a newer version.

The connlimit module finally went into mainline at kernel v2.6.23.
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23

IIRC, Fedora 7 doesn't support connlimit in the kernel either,
but Fedora 8 and 9 do.

2. Patch it and maintain your own build.

See http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-connlimit

3. Find a pre-built module maintained elsewhere.

I only know of one repository for RHEL4:
http://ftp.pslib.cz/pub/users/Milan.Kerslager/RHEL-4/stable/


Please note that the CentOS team won't support non-stock kernels.


Sorry for the bad news and the long message with irrelevant details
(they're for the list archive and googlers).

So then i ssh'd to my Fedora 9 xen virtual server which runs on my Centos domU.

Ran the iptables command

Code:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
and now

Code:
[root@Fedora ~]# iptables -L INPUT -n -v | grep conn
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23 flags:0x17/0x02 #conn/32 > 2 reject-with icmp-port-unreach

I can see it works
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what is an iptable? & how to seperate the network on the basis of iptable vinod.wagh Linux - Networking 1 09-11-2008 01:28 AM
Trouble adding connlimit support Mithrilhall Linux - Kernel 0 02-01-2008 08:44 AM
ip6tables and connlimit? Tux-Slack Slackware 0 12-05-2007 02:41 PM
connlimit? NightSoul Linux - Software 1 06-21-2006 12:31 AM
Problems with connlimit. mussons Linux - Networking 1 02-10-2004 03:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration