Hi,
nobody can help with limiting maximum number of connection per IP adress?
Is any "supported and official" way to do that?
Mirek
>-----Original Message-----
>From: netfilter-bounces@lists.netfilter.org
>[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
>Bc. Miroslav Kopecek
>Sent: Monday, March 12, 2007 9:08 AM
>To: netfilter@lists.netfilter.org
>Subject: RE: Connlimit problem k2.6.18.2 , ipt1.3.7
>
>Hi,
> so is any "safer" and "suported" way to limit number of
>connections per IP
>address?
>
>
>
>
>>-----Original Message-----
>>From: netfilter-bounces@lists.netfilter.org
>>[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
>>Jan Engelhardt
>>Sent: Monday, March 12, 2007 12:27 AM
>>To: Pascal Hambourg
>>Cc: netfilter@lists.netfilter.org
>>Subject: Re: Connlimit problem k2.6.18.2 , ipt1.3.7
>>
>>
>>On Mar 11 2007 18:14, Pascal Hambourg wrote:
>>>> I can't add connlimit rule? What's wrong? Any suggestion?
>>>>
>>>> -----------------------------------------
>>>> iptables -m connlimit -h
>>>> connlimit v1.3.7 options:
>>>> [!] --connlimit-above n match if the number of existing tcp
>>>> connections is (not) above n
>>>> --connlimit-mask n group hosts using mask
>>>>
>>>> -----------------------------------------
>>>> RouterBM:/home/kopecek# iptables -A FORWARD -p tcp -s
>10.88.99.71 -m
>>>> connlimit --connlimit-above 300 --connlimit-mask 32 -j REJECT
>>>> --reject-with
>>>> tcp-reset
>>>> iptables: No chain/target/match by that name
>>>
>>> Your kernel probably does not support the connlimit match.
>>The connlimit match
>>> is not part of the standard kernel. It used to be included
>>as a kernel patch in
>>> the patch-o-matic-ng, but has been removed from the daily
>>snapshots since
>>> 2006/07/26.
>>
>>connlimit is still there (not in pomng though), it's
>>out-of-out-off-tree,
>>so to say. You have to patch pomng, and then patch the kernel
>>*whirl* ...
>>
>>
>>Jan
>>--
>>
>>
>>
>
>
>
>
>
|