[Bug 610] New: conntrack doesn't work

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Thu Sep 24 09:21:52 CEST 2009


http://bugzilla.netfilter.org/show_bug.cgi?id=610

           Summary: conntrack doesn't work
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: unknown
        AssignedTo: laforge at netfilter.org
        ReportedBy: urykhy at gmail.com


i need to limit number of simultaneous connections to httpd:

on server:
iptables -A INPUT -p tcp -m connlimit --connlimit-above 5 --dport 80 -j DROP
(there is onle one rule in firewall )

on client i run slowloris..

on the server under attack
netstat -nta | grep :80 | grep ESTABLISHED | wc -l
180

as i understand 'iptables -L -n -v' - my rule never hits,

existing behavior:
on server under attack a lot of simultaneous connection from single ip.

expected behavior:
server should have only 5 connections

i miss something ?

ps:

debian linux 2.6.30-2, iptables 1.4.4-2 
slowloris - http://ha.ckers.org/slowloris/


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the netfilter-buglog mailing list