Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hello to all those kind enough to check this post out,
I have just got linblock up and running but I have a few problems.
1) It takes a long time for linblock to add the rules -->after<-- they are downloaded and parsed, probably something in the area of about 45 minutes I think.
I am wondering if this is normal: system specs P3 667 oc'ed to 710 mhz, 256 megs of ram, in a asus p3v4x MoBo
2) It is hard to tell if all these rules are slowing down my machine but I thought that I would take the authors suggestion found here http://dessent.net/linblock/ and do
Code:
iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p
which seemed to help.
Unfortunately when the linblock script is rerun under a cronjob (45 minutes at 99% cpu load warrants a cronjob in my books for sure) it gives an error,
Error: Couldn't remove chain antip2p from INPUT chain. I have tried flushing the rules for this chain and deleting the chain with :
Code:
iptables -F antip2p
and then
Code:
iptables -X antip2p
but iptables returns: iptables too many links ?????
everything works fine if I dont run
Code:
iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p
Originally posted by Matir How many rules are being inserted by linblock?
answer:
There can be thousands of drop rules one for each ip that is to be blocked. Linblock parses a file downloaded from bluetack(typically has thousands of entries I think) than enters these rules into ip tables with perl. Is there a limitation to the number of rules????
Quote:
Originally posted by Matir Also, the error is probably because the rule you specified links to the one to be deleted.
Hmmmm well I have cheated with iptables using the nice susefirewall2 wrapper so far so, so my knowledge is limited but if I understand you correctly than flushing the rules for that chain, which I did b4 deleting that chain should fix the problem shouldnt it?
Do you use linblock , Matir ?
P.S. thanks for answering, I swear I could hear the crickets chirping at night when I asked this particular question
I do not use linblock, but I have just looked at the source of it.
If the linblock system actually adds an iptables rule for each IP, and its thousands of rules, it could take a bit of time to insert. Keep in mind EVERY packet your system handles will need to be examined by each rule, until it reaches a 'terminating condition'... this can increase network latency.
Anyway, the other error is in the case that there are still rules pointing to the antip2p chain... not that there are rules in it.
Anyway, the other error is in the case that there are still rules pointing to the antip2p chain... not that there are rules in it.
I guess maybe it would be better too ask how I could fix this and the answer might be a good way of explaining. I have an ugly work around in place for this problem right now.
Oh and the impact on the network can be reduced if you are running a stateful firewall and do
Code:
iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p
unfortunately I have not been able to issue this command in a cron job and I get this mail from cron :
From: rootatfatmansite (Cron Daemon)
To: rootatfatmansite
Subject: Cron <rootatfatman> iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <20050630051502.F22EC12B4F@fatman.site>
Date: Thu, 30 Jun 2005 00:15:02 -0500 (CDT)
/bin/sh: iptables: command not found
I am sure iptables is in roots path do I have to call iptables like this /somepath/iptables because I cannot seem to find where it resides?
Clearly, the path during CRON is /usr/bin:/bin (marked in the email). iptables is usually /sbin/iptables. As root, run 'which iptables' to confirm this.
Originally posted by Matir Clearly, the path during CRON is /usr/bin:/bin (marked in the email). iptables is usually /sbin/iptables. As root, run 'which iptables' to confirm this.
uhmm yes I found iptables with locate iptables not sure where you are going with the cron thing though, didnt ask where cron was. I think I was up to late the first time I was looking for iptables and missed it with my tired eyes "which iptables" was a better option.
Still the question of how to correct the iptables too many links problem is open
Quote:
Originally posted by dasbooter
I guess maybe it would be better too ask how I could fix this and the answer might be a good way of explaining. I have an ugly work around in place for this problem right now.
You cannot have ANY rules which contain '-j CHAINTODELETE' when you are deleting a chain. You must delete the 'iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p' rule BEFORE deleting the antip2p chain.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.