iptables Unknown error 18446744073709551615

dmapache · 04-11-2010, 02:44 PM

Hello, I don´t speak English very well..

I have problems with iptables :

[root@server7 ~]# iptables -I INPUT -p tcp --syn -m recent --set
[root@server7 ~]# iptables -I INPUT -p tcp --syn -m recent --update --seconds 10 --hitcount 30 -j DROP
iptables: Unknown error 18446744073709551615
[root@server7 ~]#

I need stopping a SYN ddos attack... but iptable rule don't work...

Thanks for you answers

troop · 04-11-2010, 03:36 PM

Post here output of

Code:

lsmod | grep ipt

nimnull22 · 04-11-2010, 03:50 PM

Yes, you probably do not have "recent" extension.
I do not have it either. Look like normal iptables doesn't have it.

EDIT.
I have it, module is called ipt_recent.

Do in root console:
modinfo ipt_recent

you should get description.
Also you can check in:
/lib/modules/<your-kernel-pae/kernel/net/ipv4/netfilter/ipt_recent.ko

dmapache · 04-11-2010, 04:04 PM

Quote:

Originally Posted by troop

Post here output of

Code:

lsmod | grep ipt

ipt_recent 42969 0
iptable_filter 36161 0
ip_tables 55201 1 iptable_filter
x_tables 50505 4 ipt_recent,xt_state,xt_tcpudp,ip_tables

nimnull22 · 04-11-2010, 04:20 PM

I think you should write rule like:
iptables -I INPUT -p tcp --tcp-flags SYN SYN -m recent --set
and second one as well.

Edit, but may be it is not correct. Actually "--syn" should works also.
You can try to use -A = add, but your rule wont be first in INPUT chain.

Or you can try to write like:
--tcp-flags ALL SYN
--tcp-flags SYN,RST,ACK,FIN SYN

It may be more correct, because you need to filter only "syn" without anything else.

dmapache · 04-12-2010, 01:54 AM

Quote:

Originally Posted by nimnull22

I think you should write rule like:
iptables -I INPUT -p tcp --tcp-flags SYN SYN -m recent --set
and second one as well.

Edit, but may be it is not correct. Actually "--syn" should works also.
You can try to use -A = add, but your rule wont be first in INPUT chain.

Or you can try to write like:
--tcp-flags ALL SYN
--tcp-flags SYN,RST,ACK,FIN SYN

It may be more correct, because you need to filter only "syn" without anything else.

T_T

Code:

[root@server7 ~]# iptables -I INPUT -p tcp --tcp-flags ALL SYN -m recent --update --seconds 10 --hitcount 30 -j DROP
iptables: Unknown error 18446744073709551615
[root@server7 ~]# iptables -A INPUT -p tcp --tcp-flags ALL SYN -m recent --update --seconds 10 --hitcount 30 -j DROP
iptables: Unknown error 18446744073709551615

dmapache · 04-12-2010, 02:21 AM

I was reading about iptables and Recent and this module would remain as to whether this right?

Code:

iptables -N SYNSCAN
iptables -A INPUT -p tcp --tcp-flags ALL SYN -j SYNSCAN
iptables -A SYNSCAN -m recent --set --name SYNFLOOD
iptables -A SYNSCAN -m recent --update --seconds 10 --hitcount 20 --name SYNFLOOD -j DROP

nimnull22 · 04-12-2010, 11:54 AM

It will do the same thing.

Do you have error?

aswen · 09-22-2010, 08:36 AM

hey, found the problem:
the amount of seconds and count is not correct. (try --seconds 60 --hitcount 4 and it will work)
yet, that might not do what you want.... (you want 20 per 10 seconds) so we have to find the limits of this module...

have to find correct docu, will post when I found it

the "official" docu mentioned in de iptables man (8) page at http://snowman.net/projects/ipt_recent/ does not tell me anything about the min and max values... (site not updated since 2007...)

sent mail to Sfrost. will notify you opun response

csampath · 05-17-2012, 04:47 AM

I am using iptables v1.3.5, there Maximum 20 connections per minute is allowed.

jschiwal · 05-18-2012, 03:15 AM

It is doubtful the participants of this thread will read your addition to a two year old post. Please check the date before responding.

csampath · 05-18-2012, 04:32 AM

My post was not for 2 years old participants. It is for the new participants who search for the error will get to know the information.

aswen · 05-18-2012, 02:33 PM

Hi, My last post to this topic was a while ago. however, I received an email indicating that one has responded. for me this was interesting. so, thanks csampath!

I've got one more question: did you find any docu describing the min/max values for ipt_recent?

best regards,
Alex