On 10/10/06, Amos Shapira <[EMAIL PROTECTED]> wrote:
I have iptables v1.2.11 on my Debian Sarge setup. It seems like it supports connlimit, but there's nothing in the manpage about it. I do get the connlimit options when running 'iptables -m connlimit -h'.
Problem is, when trying to add some actual iptables connlimit rule, I get an error:
[EMAIL PROTECTED]:~# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3 -j REJECT --reject-with tcp-reset
iptables: No chain/target/match by that name
[EMAIL PROTECTED]:~#
From what I understood this is because the kernel itself lacks the connlimit module. According to the packages.debian.org file search, even -unstable kernels don't ship with this module.
I'd rather not install a custom kernel on production servers.
Sagi
On 10/10/06, Sagi Bashari <[EMAIL PROTECTED]> wrote:I'm looking for a way to prevent such attack in a higher level, before it even reaches Apache. I found a iptables module named connlimit/iplimit, that is supposed to do just that, but it seems the official kernels do not support it and there's a serious lack of information about it.
connlimit seems to be indeed just the thing for you. Why do you think that official kernels don't support it? I have it on my system as part of the Debian Etch standard iptables package.
What do you get when you try the examples in the manual page, for example?
I have iptables v1.2.11 on my Debian Sarge setup. It seems like it supports connlimit, but there's nothing in the manpage about it. I do get the connlimit options when running 'iptables -m connlimit -h'.
Problem is, when trying to add some actual iptables connlimit rule, I get an error:
[EMAIL PROTECTED]:~# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3 -j REJECT --reject-with tcp-reset
iptables: No chain/target/match by that name
[EMAIL PROTECTED]:~#
From what I understood this is because the kernel itself lacks the connlimit module. According to the packages.debian.org file search, even -unstable kernels don't ship with this module.
I'd rather not install a custom kernel on production servers.
Sagi
