LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-24-2013, 05:18 AM   #1
no_root_no_cry
LQ Newbie
 
Registered: Apr 2008
Posts: 13

Rep: Reputation: 0
Question iptables limit per IP per minute - "No chain/target/match by that name"


I'm trying to limit connections per IP address to N per minute (or second) but I have problems with iptables (as always).
Here are my adventures:
Code:
uname -a
	Linux … 2.6.32-042stab076.8 #1 SMP Tue May 14 … 2013 i686 GNU/Linux

lsb_release -a
	…
	Description:	Debian GNU/Linux 6.0.8 (squeeze)
	Release:	6.0.8

iptables --version
	iptables v1.4.8

iptables -S
	-P INPUT ACCEPT
	-P FORWARD ACCEPT
	-P OUTPUT ACCEPT

# /sbin/iptables -v -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
	tcp opt -- in eth0 out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 state NEW recent: SET name: DEFAULT side: source
	iptables: No chain/target/match by that name.

# /sbin/iptables -v -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
	tcp opt -- in eth0 out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 state NEW recent: SET name: DEFAULT side: source
	iptables: No chain/target/match by that name.

# /sbin/iptables -v -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
	REJECT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 flags:0x17/0x02 #conn/32 > 5 reject-with tcp-reset
	iptables: No chain/target/match by that name.

# /sbin/iptables -v -I INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
	ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 state NEW limit: avg 5/min burst 10

# iptables -S
	-P INPUT ACCEPT
	-P FORWARD ACCEPT
	-P OUTPUT ACCEPT
	-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m limit --limit 5/min --limit-burst 10 -j ACCEPT

perl test.pl
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK
	HTTP/1.1 200 OK

# /sbin/iptables -v -A INPUT -p tcp --dport 80 -j REJECT --reject-with tcp-reset
	REJECT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 reject-with tcp-reset

# iptables -S
	-P INPUT ACCEPT
	-P FORWARD ACCEPT
	-P OUTPUT ACCEPT
	-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m limit --limit 5/min --limit-burst 10 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset

perl test.pl
	Connection refused at test.pl line 22.

# iptables -v -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit 45/sec --hashlimit-burst 60 --hashlimit-mode srcip --hashlimit-name DDOS --hashlimit-htable-size 32768 --hashlimit-htable-max 32768 --hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 100000 -j ACCEPT
	FATAL: Could not load /lib/modules/2.6.32-042stab076.8/modules.dep: No such file or directory
	FATAL: Could not load /lib/modules/2.6.32-042stab076.8/modules.dep: No such file or directory
	ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80 limit: up to 45/sec burst 60 mode srcip htable-size 32768 htable-max 32768 htable-expire 100000
	iptables: No chain/target/match by that name.
Can anyone help?
 
Old 12-25-2013, 12:39 AM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
Blog Entries: 36

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
http://www.linuxquestions.org/questi...1/#post4512449

I covered it in one of my blog posts.

Last edited by sag47; 12-25-2013 at 12:40 AM.
 
Old 12-25-2013, 12:43 PM   #3
no_root_no_cry
LQ Newbie
 
Registered: Apr 2008
Posts: 13

Original Poster
Rep: Reputation: 0
Thank you for your reply!
Perhaps your blog post is very helpful but it doesn't solve my problem.
Here is the result of executing the commands:

Code:
# iptables -A INPUT -i eth0 -p tcp --dport 5060 -m state --state NEW -m recent --set
iptables: No chain/target/match by that name.
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables: No chain/target/match by that name.

Last edited by no_root_no_cry; 12-25-2013 at 12:48 PM.
 
Old 12-25-2013, 04:06 PM   #4
sag47
Senior Member
 
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
Blog Entries: 36

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
You haven't given very much information. What chains are available?

Code:
iptables -nL
Have you read the iptables man page of the system you're using to ensure the options you're passing are valid? What is the system (OS/version)? Have you read your OS documentation on configuring iptables? Many distros post distro-specific documentation to assist their users.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPTABLES "iptables: No chain/target/match by that name." dschuett Linux - Security 2 04-24-2012 06:17 PM
iptables: No chain/target/match by that name amdy Linux - Networking 2 04-08-2010 12:59 AM
"No chain/target/match by that name" GGery Debian 8 09-03-2007 05:28 AM
kernel update and "iptables: No chain/target/match by that name" thewtex Linux - Networking 4 04-03-2007 07:10 AM
"iptables: No chain/target/match by that name" error PennyroyalFrog Linux - Security 2 11-28-2004 02:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration