IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.87 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-05-19
[01:05]<-- rjrvcxrrr xrs fuy>http://www.jpg.com")
[01:45]<-- sgvgzs xzs fuyv (>/dev/brain")
[01:50]<sfun>Hi!
[01:50]<sfun>I am wondering if I can I limit the connections on a router per client
[01:51]<sfun>The clients are quite enough to add one-by-one rule for them
[01:55]<rjzrrg>sque, u "might" get something like that with the state module by classifying established or related packets
[01:55]<zj20>-m connlimit
[01:58]<sfun>yes I know connlimit
[01:59]<sfun>but let's that you have 50 pcs at 192.168.0.0/24 and you want the router to reject all tcp connections above 500 PER CLIENT!
[01:59]<sfun>for 1 client I would do: iptables -A FORWARD -p tcp -m connlimit --connlimit-above 500 -j REJECT --reject-with tcp-reset
[01:59]<-- dyrnnprd wrs puyv> i mean the other left <-")
[02:00]<sfun>hmm wrong
[02:00]<sfun>iptables -A FORWARD -p tcp -s 192.168.0.1 -m connlimit --connlimit-above 500 -j REJECT --reject-with tcp-reset
[02:00]<sfun>let's say that we are limiting client 192.168.0.1
[02:01]<sfun>but how can I do it for many clients? can I? or should I make a script producing one rule for each client?
[02:03]<rjzrrg>sque: thats why i would inspect the state module as different ips traffic can't be related to each other
[02:04]<zj20>--connlimit-mask (this is in the man page.)
[02:13]<zj20>sque: oh, per client, just leave OFF the --connlimit-mask and use the netmask in the -s argument.
[02:15]<sfun>rob0, this? iptables -A FORWARD -p tcp -s 192.168.0.0/24 -m connlimit --conlimit-above 500 -j RECEJCT --reject-with tcp-reset
[02:15]<sfun>just put subnet at source ip?
[02:21]<zj20>Looks right to me.
[02:21]<zj20>maybe --connlimit-mask 32
[02:28]<sfun>damn
[02:28]<sfun>what am I doing wrong?
[02:28]<sfun>Connection failed. Error: No route to host
[02:28]<sfun>* Disconnected ().
[02:28]<sfun>* Looking up nana.irc.gr
[02:28]<sfun>* Connecting to nana.irc.gr (194.219.155.226) port 6667...
[02:28]<sfun>* Connection failed. Error: No route to host
[02:28]<sfun>sry wrong paste
[02:28]<sfun>router ~ # iptables -m connlimit --connlimit-above 500 --connlimit-mask 32 -A FORWARD -s 192.168.0.0/24 -j DROP
[02:28]<sfun>iptables: No chain/target/match by that name
[02:30]<zj20>is it mentioned in your man page? We just went through this with someone else, I think Debian Sarge, and it wasn't supported. "iptables -V"; not sure when connlimit was added, but I think he had 1.2.10 (and no connlimit.)
[02:31]<zj20>It could also be that you don't have kernel support, "modprobe -v ipt_connlimit".
[02:32]<sfun>hmm, I think I forgot to reboot the pc after the kernel recompilation :p
[02:33]<sfun>brb
[02:43]<sfun>rob0, what do I need in kernel for connlimit?
[02:43]<sfun>this? │ CONFIG_NETFILTER_XT_MATCH_LIMIT:
[02:45]<mrrynfmr>ah, you're using a recent 2.6 kernel
[02:46]<mrrynfmr>no, it would have CONNLIMIT, and I think it's still the same name
[02:47]<sfun>CONNLIMIT is not part of the kernel yet?
[02:47]<mrrynfmr>it's still in POM
[02:47]<sfun>i see
[02:48]<sfun>damn never used before po'm
[02:48]<sfun>:S
[02:48]<sfun>I am scrared :p
[02:49]<mrrynfmr>connlimit is in base, which means it's fairly well tested
[02:50]<sfun>I am not scared about connlimit, but about my self putting that thing in the system :p
[02:53]<mrrynfmr>it's fairly hard to mess up, you just need kernel sources and iptables sources, and run "runme base"
[02:57]<sfun>I have kernel sources, I have custom compiled kernel
[02:57]<sfun>so I only need the iptables sources? and the pom ?
[02:58]<mrrynfmr>yes
[03:03]<sfun>danieldg, my iptables is ready for connlimit
[03:03]<sfun>does it need to be patched too? or can I ommit that
[03:03]<sfun>connlimit v1.3.4 options:
[03:03]<sfun>[!] --connlimit-above n match if the number of existing tcp connections is (not) above n
[03:03]<sfun> --connlimit-mask n group hosts using mask
[03:03]<mrrynfmr>no, it doesn't need to be patched, but the sources must be present
[03:04]<sfun>damn
[03:04]<mrrynfmr>why? just download and unpack
[03:05]<sfun>I am afraid for version mess
[03:06]<sfun>ok, I copied the tar from the distfiles directory :p
[03:08]<sfun>danieldg, help help
[03:09]<sfun>I runned ./runme base
[03:09]<sfun>and when it prompted for connlimit I pressed Y
[03:09]<sfun>and:
[03:09]<sfun>Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
[03:09]<sfun>unable to find ladd slot in src /tmp/pom-7291/net/ipv4/netfilter/Makefile (./patchlets/connlimit/linux-2.6.11/./net/ipv4/netfilter/Makefile.ladd)
[03:09]<sfun>-----------------------------------------------------------------
[03:09]<sfun>Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
[03:09]<mrrynfmr>oh. The kernel shifted stuff around
[03:09]<sfun>what should I do now? :S
[03:10]<sfun>i dont have 2.6.11
[03:10]<mrrynfmr>just a sec
[03:10]<sfun>I have 2.6.16
[03:11]<sfun>(it's not vanilla source, its the gentoo-sources)
[03:11]<mrrynfmr>it's broken on any kernel which has xtables
[03:11]<mrrynfmr>edit pom/patchlets/connlimit/linux-2.6.11/net/ipv4/netfilter/Makefile.ladd
[03:12]<mrrynfmr>change "obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o" to "obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o"
[03:12]<drwygn>danieldg: that doesn't look right
[03:12]<mrrynfmr>maxine: xtables
[03:12]<drwygn>xtables is in 2.6.16, a merging of modules between IPv4 and IPv6 version of iptables. It is *not* auto-selected by make oldconfig, you need to go select it manually. It should be transparent except for badly written scripts that insist on modprobing modules manually, or bugs in module autoloading
[03:13]<sfun>so?
[03:13]<drwygn>hmmm... so is a needle pulling thread
[03:13]<sfun>what I should do?
[03:13]<mrrynfmr>change the first line in that thread
[03:13]<drwygn>danieldg: that doesn't look right
[03:13]<mrrynfmr>maxine: shut up
[03:13]<drwygn>danieldg: sorry...
[03:13]<mrrynfmr>change the first line in that file
[03:13]<drwygn>danieldg: that doesn't look right
[03:14]<sfun>I am ready to answer any question for my setup and usage in case it is usefull
[03:15]<mrrynfmr>it should work after you change that file
[03:15]<sfun>compile != work
![http://www.jpg.com"](http://www.jpg.com"){kind=link}