Connlimit problem k2.6.18.2 , ipt1.3.7

Bc. Miroslav Kopecek kopecek at email.cz
Tue Mar 13 10:35:41 CET 2007 

Hi,
   nobody can help with limiting maximum number of connection per IP adress?
Is any "supported and official" way to do that? 

Mirek



>-----Original Message-----
>From: netfilter-bounces at lists.netfilter.org 
>[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of 
>Bc. Miroslav Kopecek
>Sent: Monday, March 12, 2007 9:08 AM
>To: netfilter at lists.netfilter.org
>Subject: RE: Connlimit problem k2.6.18.2 , ipt1.3.7
>
>Hi,
>  so is any "safer" and "suported" way to limit number of 
>connections per IP
>address? 
>
>
>
>
>>-----Original Message-----
>>From: netfilter-bounces at lists.netfilter.org 
>>[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of 
>>Jan Engelhardt
>>Sent: Monday, March 12, 2007 12:27 AM
>>To: Pascal Hambourg
>>Cc: netfilter at lists.netfilter.org
>>Subject: Re: Connlimit problem k2.6.18.2 , ipt1.3.7
>>
>>
>>On Mar 11 2007 18:14, Pascal Hambourg wrote:
>>>> I can't add connlimit rule? What's wrong? Any suggestion?
>>>> 
>>>> -----------------------------------------
>>>> iptables -m connlimit -h
>>>> connlimit v1.3.7 options:
>>>> [!] --connlimit-above n         match if the number of existing tcp
>>>> connections is (not) above n
>>>> --connlimit-mask n             group hosts using mask
>>>> 
>>>> -----------------------------------------
>>>> RouterBM:/home/kopecek# iptables -A FORWARD -p tcp -s 
>10.88.99.71 -m
>>>> connlimit --connlimit-above 300 --connlimit-mask 32  -j REJECT
>>>> --reject-with
>>>> tcp-reset
>>>> iptables: No chain/target/match by that name
>>>
>>> Your kernel probably does not support the connlimit match. 
>>The connlimit match
>>> is not part of the standard kernel. It used to be included 
>>as a kernel patch in
>>> the patch-o-matic-ng, but has been removed from the daily 
>>snapshots since
>>> 2006/07/26.
>>
>>connlimit is still there (not in pomng though), it's 
>>out-of-out-off-tree,
>>so to say. You have to patch pomng, and then patch the kernel 
>>*whirl* ...
>>
>>
>>Jan
>>-- 
>>
>>
>>
>
>
>
>
>

More information about the netfilter mailing list